Ask Your Question
0

Windows remote ssh capture not getting packets

asked 2020-02-23 12:11:49 +0000

diegoj.dominguez gravatar image

updated 2020-02-23 18:03:08 +0000

Scenario: Host: Windows 10 pro Guest (VirtualBox): Ubuntu Server 18.04 Wireshark version: 3.2.1 (v3.2.1-0-gbf38a67724d0)

Test #1, local capture in guest Ubuntu) When typed in Ubuntu terminal (as root):

tcpdump -ni enp0s8 -s 0 -w - not port 22

It does work, capturing packets to tty screen

Test #2, plink remote capture) From Windows’ console:

plink.exe -batch -ssh -pw charate19 [email protected] "tcpdump -ni enp0s8 -s 0 -w - not port 22" | "C:\Program Files\Wireshark\Wireshark.exe" -k -i –

Wireshark connects but gets no packet (root ssh password login is enabled)

tcpdump is running OK in Ubuntu:

UID        PID      PPID    C STIME     TTY          TIME CMD
root     10542  10447  0 11:30      ?        00:00:00 tcpdump -ni enp0s8 -s 0 -w - not port 22

Test #3, Wireshark’s ssh remote capture From Windows’s Wireshark, SSH remote capture interface, with options:

Remote SSH server address = 192.168.176.2
Remote SSH server port = 22
Remote SSH server username = root
Remote SSH server password = my-password
Remote interface = enp0s8
Remote interface = enp0s8
Remote capture command = /usr/sbin/tcpdump -s 0 -w -
Remote capture filter = not port 22
Packets to capture = 0

Again, Wireshark connects but gets no packet

tcpdump is running in Ubuntu (but no interface set):

UID        PID  PPID  C STIME TTY          TIME CMD
root     10677 10560  0 11:47 ?        00:00:00 /usr/sbin/tcpdump -s 0 -w –

As neither interface nor filter appear, the same but with:

Remote capture command = /usr/sbin/tcpdump -ni enp0s8 -s 0 -w - not port 22

UID        PID  PPID  C STIME TTY      TIME CMD
root     11246 11149  0 11:51 ?        00:00:00 /usr/sbin/tcpdump -ni enp0s8 -s 0 -w - not

Summary: Remote Wireshark gets no packet, but launches remote tcpdump with right parameters

edit retag flag offensive close merge delete

Comments

Wireshark version? Ideally, post the contents of the Help > About Wireshark > Wireshark tab.

grahamb gravatar imagegrahamb ( 2020-02-23 13:06:59 +0000 )edit

You might break it into separate parts for testing.

plink.exe -batch -ssh -pw charate19 [email protected] "tcpdump -ni enp0s8 -s 0 -w - not port 22" > test.pcap

(if not running in a writable directory, specify a full path to the output file in a directory which is writable) Then open the pcap file with wireshark. If all that working then figure out why pipe not working.

Chuckc gravatar imageChuckc ( 2020-02-23 15:10:17 +0000 )edit

Wireshark version: 3.2.1 (v3.2.1-0-gbf38a67724d0)

I did the test you suggested before, and after closing the plink command, the test.pcap had all the traffic inside.

diegoj.dominguez gravatar imagediegoj.dominguez ( 2020-02-23 17:07:45 +0000 )edit
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2020-02-23 18:40:09 +0000

Chuckc gravatar image

updated 2020-02-23 18:41:28 +0000

Does the tcpdump you're using support -U or some other option to disable buffering?


   -U
   --packet-buffered
          If  the -w option is not specified, make the printed packet out-
          put ``packet-buffered''; i.e., as the description  of  the  con-
          tents of each packet is printed, it will be written to the stan-
          dard output, rather than, when not writing to a terminal,  being
          written only when the output buffer fills.

          If  the -w option is specified, make the saved raw packet output
          ``packet-buffered''; i.e., as each packet is saved, it  will  be
          written  to the output file, rather than being written only when
          the output buffer fills.

          The -U flag will not be supported if tcpdump was built  with  an
          older  version of libpcap that lacks the pcap_dump_flush() func-
          tion.
edit flag offensive delete link more

Comments

Test string I'm using while running a constant ping in another connection to the capture machine:

C:\Program Files\Wireshark>plink -batch -ssh -pw xxxx root@kali "tcpdump -i eth0 -s 0 -w - -U icmp" | wireshark -k -i -
Chuckc gravatar imageChuckc ( 2020-02-23 18:46:32 +0000 )edit

The '-U' option did the trick. It works OK by now

Thank you very much, it was driving me crazy

diegoj.dominguez gravatar imagediegoj.dominguez ( 2020-02-23 19:11:59 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2020-02-23 12:11:49 +0000

Seen: 4,257 times

Last updated: Feb 23 '20

Related questions

Wireshark 2.4.1 GTK Crash on long run

wifi disconnects as wireshark starts

what determines the final windows scaling factor?

Failed to run MSBuild command (CMake Error at CMakeLists.txt:22 (project))

No CMAKE_C(XX)_COMPILER could be found

I am having trouble with Wireshark starting using Windows 10.

Not able to build the wireshark

Error while building wireshark source code using MSbuild

Help to set up a "pass through bridge" sniffer

"No interfaces found" on Windows 10 laptop