Ask Your Question
0

Windows remote ssh capture not getting packets

asked 2020-02-23 12:11:49 +0000

diegoj.dominguez gravatar image

updated 2020-02-23 18:03:08 +0000

Scenario: Host: Windows 10 pro Guest (VirtualBox): Ubuntu Server 18.04 Wireshark version: 3.2.1 (v3.2.1-0-gbf38a67724d0)

Test #1, local capture in guest Ubuntu) When typed in Ubuntu terminal (as root):

tcpdump -ni enp0s8 -s 0 -w - not port 22

It does work, capturing packets to tty screen

Test #2, plink remote capture) From Windows’ console:

plink.exe -batch -ssh -pw charate19 [email protected] "tcpdump -ni enp0s8 -s 0 -w - not port 22" | "C:\Program Files\Wireshark\Wireshark.exe" -k -i –

Wireshark connects but gets no packet (root ssh password login is enabled)

tcpdump is running OK in Ubuntu:

UID        PID      PPID    C STIME     TTY          TIME CMD
root     10542  10447  0 11:30      ?        00:00:00 tcpdump -ni enp0s8 -s 0 -w - not port 22

Test #3, Wireshark’s ssh remote capture From Windows’s Wireshark, SSH remote capture interface, with options:

Remote SSH server address = 192.168.176.2
Remote SSH server port = 22
Remote SSH server username = root
Remote SSH server password = my-password
Remote interface = enp0s8
Remote interface = enp0s8
Remote capture command = /usr/sbin/tcpdump -s 0 -w -
Remote capture filter = not port 22
Packets to capture = 0

Again, Wireshark connects but gets no packet

tcpdump is running in Ubuntu (but no interface set):

UID        PID  PPID  C STIME TTY          TIME CMD
root     10677 10560  0 11:47 ?        00:00:00 /usr/sbin/tcpdump -s 0 -w –

As neither interface nor filter appear, the same but with:

Remote capture command = /usr/sbin/tcpdump -ni enp0s8 -s 0 -w - not port 22

UID        PID  PPID  C STIME TTY      TIME CMD
root     11246 11149  0 11:51 ?        00:00:00 /usr/sbin/tcpdump -ni enp0s8 -s 0 -w - not

Summary: Remote Wireshark gets no packet, but launches remote tcpdump with right parameters

edit retag flag offensive close merge delete

Comments

Wireshark version? Ideally, post the contents of the Help > About Wireshark > Wireshark tab.

grahamb gravatar imagegrahamb ( 2020-02-23 13:06:59 +0000 )edit

You might break it into separate parts for testing.

plink.exe -batch -ssh -pw charate19 [email protected] "tcpdump -ni enp0s8 -s 0 -w - not port 22" > test.pcap

(if not running in a writable directory, specify a full path to the output file in a directory which is writable) Then open the pcap file with wireshark. If all that working then figure out why pipe not working.

Chuckc gravatar imageChuckc ( 2020-02-23 15:10:17 +0000 )edit

Wireshark version: 3.2.1 (v3.2.1-0-gbf38a67724d0)

I did the test you suggested before, and after closing the plink command, the test.pcap had all the traffic inside.

diegoj.dominguez gravatar imagediegoj.dominguez ( 2020-02-23 17:07:45 +0000 )edit

1 Answer

Sort by » oldest newest most voted
0

answered 2020-02-23 18:40:09 +0000

Chuckc gravatar image

updated 2020-02-23 18:41:28 +0000

Does the tcpdump you're using support -U or some other option to disable buffering?


   -U
   --packet-buffered
          If  the -w option is not specified, make the printed packet out-
          put ``packet-buffered''; i.e., as the description  of  the  con-
          tents of each packet is printed, it will be written to the stan-
          dard output, rather than, when not writing to a terminal,  being
          written only when the output buffer fills.

          If  the -w option is specified, make the saved raw packet output
          ``packet-buffered''; i.e., as each packet is saved, it  will  be
          written  to the output file, rather than being written only when
          the output buffer fills.

          The -U flag will not be supported if tcpdump was built  with  an
          older  version of libpcap that lacks the pcap_dump_flush() func-
          tion.

edit flag offensive delete link more

Comments

Test string I'm using while running a constant ping in another connection to the capture machine:

C:\Program Files\Wireshark>plink -batch -ssh -pw xxxx root@kali "tcpdump -i eth0 -s 0 -w - -U icmp" | wireshark -k -i -
Chuckc gravatar imageChuckc ( 2020-02-23 18:46:32 +0000 )edit

The '-U' option did the trick. It works OK by now

Thank you very much, it was driving me crazy

diegoj.dominguez gravatar imagediegoj.dominguez ( 2020-02-23 19:11:59 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-02-23 12:11:49 +0000

Seen: 4,279 times

Last updated: Feb 23 '20