Register
It is currently Tue Jul 29, 2014 12:39 am

Remote tcpdump into local wireshark


All times are UTC - 6 hours


Post new topic Reply to topic  [ 2 posts ] 
Author Message
 PostPosted: Tue Mar 31, 2009 3:35 pm   

Joined: Tue Mar 31, 2009 3:10 pm
Posts: 7
Something I wrote at work to quickly start multiple tcpdumpsession on remote hosts and dump the output to wireshark sessions on my desktop.
It's badly commented, needs to be cleaned up and improved.
Depending on the speed of your pc and internet connection you may have to play a bit with the sleep value in the startsession function to prevent the script from
detecting the wrong pids of the ssh and wireshark sessions. These work for me on both my home and work pc. YMMV
Obviously I use this in combination with ssh-keys to prevent having to type passwords
Filters given after the -f flag are tcpdump filters (host 192.168.24.1 and proto ICMP etc.) and are valid for all hosts and interfaces provided.
The filters must be placed between quotes " "
If there is enough bandwidth I prefer not to use tcpdump filters and filter in wireshark, as you can place filters on each host and its interfaces

Feel free to improve :)


Last edited by tripkipke on Thu Jan 13, 2011 12:28 pm, edited 1 time in total.

Top
 Profile  
 PostPosted: Wed Jan 12, 2011 3:30 pm   

Joined: Tue Mar 31, 2009 3:10 pm
Posts: 7
Cleaned it up...

Code:
#!/bin/bash

## Default settings
# ssh version
SSHV="-2"
# port
PORT="22"
# be verbose?
VERBOSE=false

# Set known hosts to /dev/null and no strict hostkey checking
HOSTCHECK="-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"

## Usage ...
Usage() {
   cat << USAGE
usage: `basename "$0"` Look at the script...
less $(type wiredump | cut -d ' ' -f 3)
USAGE
exit 1
}

## If no arguments are given show Usage
[ "$#" = "0" ] && Usage

## if the verbose flag is set, echo date and string
Verbose() {
    STRING="$@"
    PREFIX="[`date +"%D %H:%M:%S"`]: "
    ${VERBOSE} && echo ${PREFIX} ${STRING}
}
while getopts ":vp:f:12" options
do
    case $options in
        v)
        VERBOSE=true
        ;;
        p)
        PORT=${OPTARG}
        ;;
        f)
        FIL=${OPTARG}
        ;;
        1)
        SSHV="-1"
        ;;
        2)
        SSHV="-2"
        ;;
        *|?)
        Usage
        ;;
    esac
done

## Exclude the port we are connecting to
FILTER="! port ${PORT}"

## Add optional filters
[ -n "${FIL}" ] && FILTER="${FILTER} and '${FIL}'"
Verbose "The current tcpdump filter is: ${FILTER}"

## remove any arguments found so far
shift $((${OPTIND} - 1))

## Check for ip and interface and set the variables
[ -z $1 ] && echo "No IP address" || IP=$1
shift
[ -z $1 ] && echo "No interface" || IFACE=$1
shift
Verbose "Remote host: ${IP}\nRemote interface: ${IFACE}"

Exit() {
    clear
    exit
}

Cleanup() {
    ## kill the ssh session if needed
    if [ -n "${SSHPID}" ]; then
   pkill -0 -P "${SSHPID}"
   i=$?; [ "$i" == 0 ] && kill "${SSHPID}"
    fi

    ## Kill wireshark if needed
    if [ -n "${WSPID}" ]; then
   pkill -0 -P "${WSPID}"
   i=$?; [ "$i" == 0 ] && kill "${WSPID}"
    fi

    ## Remove our pipe
    if [ -e "${PIPE}" ] ; then
   rm -f "${PIPE}"
   Verbose "Pipe removed"
    fi
    Exit
}

## our trap (kill process group)
trap Cleanup INT TERM

## Set up the named pipe
PIPE="/tmp/${IP}_${IFACE}.${RANDOM}"
## Creating the named pipe
Verbose "Creating the named pipe"
mkfifo ${PIPE}
Verbose "Created pipe: ${PIPE}"

## The ssh command
SSHCMD="ssh ${SSHV} -p ${PORT} ${HOSTCHECK} -C -f -l root ${IP}"

## The tcpdump command
TCPDCMD="tcpdump -w - -s0 -nli ${IFACE} ${FILTER}"

## The full command
FCMD="$SSHCMD $TCPDCMD"

## Staring ssh session with remote tcpdump
Verbose "Starting the ssh session"
${FCMD} > "${PIPE}" &

## Starting wireshark
wireshark -k -i "${PIPE}" &
WSPID=$!
Verbose "Wireshark PID: ${WSPID}"

## Let it sleep a bit as ssh sometimes starts slow
sleep 2
SSHPID=$(pgrep -f "${FCMD}")
Verbose "Ssh PID: ${SSHPID}"

wait
Cleanup


Top
 Profile  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC - 6 hours


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  


BashScripts | Promote Your Page Too
Powered by phpBB © 2011 phpBB Group
© 2003 - 2011 USA LINUX USERS GROUP