Ask Your Question
0

How can I pass the SSH password to sshdump

asked 2021-07-07 23:08:59 +0000

alerosmile gravatar image

I'd like to capture via sshdump using the Wireshark cli interface (wireshark -oextcap.sshdump_exe.remotehost:remotehost -oextcap.sshdump_exe.remotepassword:password) but Wireshark does not send the password to sshdump. How can I accomplish this? Thanks a lot!

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted
0

answered 2021-07-09 17:55:41 +0000

Chuckc gravatar image

updated 2021-07-09 18:40:33 +0000

From the Wireshark Developer’s Guide:
"Password strings are not saved, when the extcap configuration is being saved"

C:\Program Files\Wireshark\extcap>sshdump.exe --extcap-interface sshdump.exe --extcap-config | findstr /I password
        arg {number=3}{call=--remote-password}{display=Remote SSH server password}{type=password}{tooltip=The SSH password, used when other methods (SSH agent or key files) are unavailable.}{group=Authentication}
        arg {number=5}{call=--sshkey-passphrase}{display=SSH key passphrase}{type=password}{tooltip=Passphrase to unlock the SSH private key}{group=Authentication}

{type=password}

extcap.sshdump_exe.remotepassword is not a valid preference.

If you have access to WSL (Windows Subsystem for Linux):

~$ which Wireshark.exe
/mnt/c/Program Files/Wireshark/Wireshark.exe
~$
~$ ssh user1@ubuntu1 "tcpdump -U -i eth0 -w -" | Wireshark.exe -k -i -
user1@ubuntu1's password:
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes


If running in a DOS (Command) window, look at using Plink available in Putty.

C:\Program Files\Wireshark>"C:\Program Files\PuTTY\plink.exe" -ssh -batch -pw pword1 user1@ubuntu1 "tcpdump -U -i eth0 -s 0 -w - not tcp port 22" | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -


tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

(Leaving this here for reference. Piping sshdump to wireshark -k -i - should work but there is something with pipe buffering on Windows that doesn't allow it. A similar command string on ubuntu works.)

C:\Program Files\Wireshark\extcap>sshdump.exe --extcap-interface sshdump.exe --remote-host ubuntu1 --remote-username user1 --remote-password pword1 --remote-port 22 --remote-interface eth0 --fifo="-" --capture | ..\Wireshark.exe -k -i -


 ** (wireshark:3756) 12:24:39.044078 [Main MESSAGE] -- Wireshark is up and ready to go, elapsed time 6.091s
 ** (wireshark:3756) 12:24:39.044078 [Capture MESSAGE] -- Capture Start ...
 ** (wireshark:3756) 12:24:39.295339 [Capture MESSAGE] -- Capture started
 ** (wireshark:3756) 12:24:39.295339 [Capture MESSAGE] -- File: "C:\Users\xxxxx\AppData\Local\Temp\wireshark_-DXRC60.pcapng"
 ** (wireshark:3756) 12:24:39.404328 [Capture MESSAGE] -- Error message from child: "Frame 6 too long (895828 bytes)", ""
 ** (wireshark:3756) 12:24:41.032392 [Capture MESSAGE] -- Capture stopped.
edit flag offensive delete link more

Comments

Thanks a lot. This helps!!!

alerosmile gravatar imagealerosmile ( 2021-07-12 18:42:53 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2021-07-07 23:08:59 +0000

Seen: 2,270 times

Last updated: Jul 09 '21