Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version
C:\Program Files\Wireshark\extcap>sshdump.exe --extcap-interface sshdump.exe --extcap-config | findstr /I password
arg {number=3}{call=--remote-password}{display=Remote SSH server password}{type=password}{tooltip=The SSH password, used when other methods (SSH agent or key files) are unavailable.}{group=Authentication}
arg {number=5}{call=--sshkey-passphrase}{display=SSH key passphrase}{type=password}{tooltip=Passphrase to unlock the SSH private key}{group=Authentication}

{type=password}

From the Wireshark Developer’s Guide:
"Password strings are not saved, when the extcap configuration is being saved"
extcap.sshdump_exe.remotepassword is not a valid preference.

If you have access to WSL (Windows Subsystem for Linux):

~$ which Wireshark.exe
/mnt/c/Program Files/Wireshark/Wireshark.exe
~$
~$ ssh [email protected] "tcpdump -U -i eth0 -w -" | Wireshark.exe -k -i -
[email protected]'s password:
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes


If running in a DOS (Command) window, look at using Plink available in Putty.

C:\Program Files\Wireshark>"C:\Program Files\PuTTY\plink.exe" -ssh -batch -pw pword1 [email protected] "tcpdump -U -i eth0 -s 0 -w - not tcp port 22" | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -


tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

(Leaving this here for reference. Piping sshdump to wireshark -k -i - should work but there is something with pipe buffering on Windows that doesn't allow it. A similar command string on ubuntu works.)

C:\Program Files\Wireshark\extcap>sshdump.exe --extcap-interface sshdump.exe --remote-host ubuntu1 --remote-username user1 --remote-password pword1 --remote-port 22 --remote-interface eth0 --fifo="-" --capture | ..\Wireshark.exe -k -i -


 ** (wireshark:3756) 12:24:39.044078 [Main MESSAGE] -- Wireshark is up and ready to go, elapsed time 6.091s
 ** (wireshark:3756) 12:24:39.044078 [Capture MESSAGE] -- Capture Start ...
 ** (wireshark:3756) 12:24:39.295339 [Capture MESSAGE] -- Capture started
 ** (wireshark:3756) 12:24:39.295339 [Capture MESSAGE] -- File: "C:\Users\xxxxx\AppData\Local\Temp\wireshark_-DXRC60.pcapng"
 ** (wireshark:3756) 12:24:39.404328 [Capture MESSAGE] -- Error message from child: "Frame 6 too long (895828 bytes)", ""
 ** (wireshark:3756) 12:24:41.032392 [Capture MESSAGE] -- Capture stopped.

C:\Program Files\Wireshark\extcap>sshdump.exe --extcap-interface sshdump.exe --extcap-config | findstr /I password arg {number=3}{call=--remote-password}{display=Remote SSH server password}{type=password}{tooltip=The SSH password, used when other methods (SSH agent or key files) are unavailable.}{group=Authentication} arg {number=5}{call=--sshkey-passphrase}{display=SSH key passphrase}{type=password}{tooltip=Passphrase to unlock the SSH private key}{group=Authentication}

key}{group=Authentication}

{type=password}

From the Wireshark Developer’s Guide:
"Password strings are not saved, when the extcap configuration is being saved"
extcap.sshdump_exe.remotepassword is not a valid preference.

If you have access to WSL (Windows Subsystem for Linux):

~$ which Wireshark.exe
/mnt/c/Program Files/Wireshark/Wireshark.exe
~$
~$ ssh [email protected] "tcpdump -U -i eth0 -w -" | Wireshark.exe -k -i -
[email protected]'s password:
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes


If running in a DOS (Command) window, look at using Plink available in Putty.

C:\Program Files\Wireshark>"C:\Program Files\PuTTY\plink.exe" -ssh -batch -pw pword1 [email protected] "tcpdump -U -i eth0 -s 0 -w - not tcp port 22" | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -


tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

(Leaving this here for reference. Piping sshdump to wireshark -k -i - should work but there is something with pipe buffering on Windows that doesn't allow it. A similar command string on ubuntu works.)

C:\Program Files\Wireshark\extcap>sshdump.exe --extcap-interface sshdump.exe --remote-host ubuntu1 --remote-username user1 --remote-password pword1 --remote-port 22 --remote-interface eth0 --fifo="-" --capture | ..\Wireshark.exe -k -i -


 ** (wireshark:3756) 12:24:39.044078 [Main MESSAGE] -- Wireshark is up and ready to go, elapsed time 6.091s
 ** (wireshark:3756) 12:24:39.044078 [Capture MESSAGE] -- Capture Start ...
 ** (wireshark:3756) 12:24:39.295339 [Capture MESSAGE] -- Capture started
 ** (wireshark:3756) 12:24:39.295339 [Capture MESSAGE] -- File: "C:\Users\xxxxx\AppData\Local\Temp\wireshark_-DXRC60.pcapng"
 ** (wireshark:3756) 12:24:39.404328 [Capture MESSAGE] -- Error message from child: "Frame 6 too long (895828 bytes)", ""
 ** (wireshark:3756) 12:24:41.032392 [Capture MESSAGE] -- Capture stopped.

C:\Program Files\Wireshark\extcap>sshdump.exe --extcap-interface sshdump.exe --extcap-config | findstr /I password arg {number=3}{call=--remote-password}{display=Remote SSH server password}{type=password}{tooltip=The SSH password, used when other methods (SSH agent or key files) are unavailable.}{group=Authentication} arg {number=5}{call=--sshkey-passphrase}{display=SSH key passphrase}{type=password}{tooltip=Passphrase to unlock the SSH private key}{group=Authentication}

{type=password}

From the Wireshark Developer’s Guide:
"Password strings are not saved, when the extcap configuration is being saved"
extcap.sshdump_exe.remotepassword is not a valid preference.

If you have access to WSL (Windows Subsystem for Linux):

~$ which Wireshark.exe
/mnt/c/Program Files/Wireshark/Wireshark.exe
~$
~$ ssh [email protected] "tcpdump -U -i eth0 -w -" | Wireshark.exe -k -i -
[email protected]'s password:
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes


If running in a DOS (Command) window, look at using Plink available in Putty.

C:\Program Files\Wireshark>"C:\Program Files\PuTTY\plink.exe" -ssh -batch -pw pword1 us[email protected] "tcpdump -U -i eth0 -s 0 -w - not tcp port 22" | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -


tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

(Leaving this here for reference. Piping sshdump to wireshark -k -i - should work but there is something with pipe buffering on Windows that doesn't allow it. A similar command string on ubuntu works.)

C:\Program Files\Wireshark\extcap>sshdump.exe --extcap-interface sshdump.exe --remote-host ubuntu1 --remote-username user1 --remote-password pword1 --remote-port 22 --remote-interface eth0 --fifo="-" --capture | ..\Wireshark.exe -k -i -


 ** (wireshark:3756) 12:24:39.044078 [Main MESSAGE] -- Wireshark is up and ready to go, elapsed time 6.091s
 ** (wireshark:3756) 12:24:39.044078 [Capture MESSAGE] -- Capture Start ...
 ** (wireshark:3756) 12:24:39.295339 [Capture MESSAGE] -- Capture started
 ** (wireshark:3756) 12:24:39.295339 [Capture MESSAGE] -- File: "C:\Users\xxxxx\AppData\Local\Temp\wireshark_-DXRC60.pcapng"
 ** (wireshark:3756) 12:24:39.404328 [Capture MESSAGE] -- Error message from child: "Frame 6 too long (895828 bytes)", ""
 ** (wireshark:3756) 12:24:41.032392 [Capture MESSAGE] -- Capture stopped.

From the Wireshark Developer’s Guide:
"Password strings are not saved, when the extcap configuration is being saved"

C:\Program Files\Wireshark\extcap>sshdump.exe --extcap-interface sshdump.exe --extcap-config | findstr /I password
        arg {number=3}{call=--remote-password}{display=Remote SSH server password}{type=password}{tooltip=The SSH password, used when other methods (SSH agent or key files) are unavailable.}{group=Authentication}
        arg {number=5}{call=--sshkey-passphrase}{display=SSH key passphrase}{type=password}{tooltip=Passphrase to unlock the SSH private key}{group=Authentication}

key}{group=Authentication}

{type=password}

From the Wireshark Developer’s Guide:
"Password strings are not saved, when the extcap configuration is being saved"

extcap.sshdump_exe.remotepassword is not a valid preference.

If you have access to WSL (Windows Subsystem for Linux):

~$ which Wireshark.exe
/mnt/c/Program Files/Wireshark/Wireshark.exe
~$
~$ ssh [email protected] "tcpdump -U -i eth0 -w -" | Wireshark.exe -k -i -
[email protected]'s password:
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes


If running in a DOS (Command) window, look at using Plink available in Putty.

C:\Program Files\Wireshark>"C:\Program Files\PuTTY\plink.exe" -ssh -batch -pw pword1 [email protected] "tcpdump -U -i eth0 -s 0 -w - not tcp port 22" | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -


tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

(Leaving this here for reference. Piping sshdump to wireshark -k -i - should work but there is something with pipe buffering on Windows that doesn't allow it. A similar command string on ubuntu works.)

C:\Program Files\Wireshark\extcap>sshdump.exe --extcap-interface sshdump.exe --remote-host ubuntu1 --remote-username user1 --remote-password pword1 --remote-port 22 --remote-interface eth0 --fifo="-" --capture | ..\Wireshark.exe -k -i -


 ** (wireshark:3756) 12:24:39.044078 [Main MESSAGE] -- Wireshark is up and ready to go, elapsed time 6.091s
 ** (wireshark:3756) 12:24:39.044078 [Capture MESSAGE] -- Capture Start ...
 ** (wireshark:3756) 12:24:39.295339 [Capture MESSAGE] -- Capture started
 ** (wireshark:3756) 12:24:39.295339 [Capture MESSAGE] -- File: "C:\Users\xxxxx\AppData\Local\Temp\wireshark_-DXRC60.pcapng"
 ** (wireshark:3756) 12:24:39.404328 [Capture MESSAGE] -- Error message from child: "Frame 6 too long (895828 bytes)", ""
 ** (wireshark:3756) 12:24:41.032392 [Capture MESSAGE] -- Capture stopped.