My goal is to use sshdump to stream a packet capture from a remote linux host and save it to my computer locally. I cannot save it on the remote server and then transfer it due to space constraints.
Background
This works on both Macos and Windows (WSL), outputting tshark-formatted packets:
ssh rj@<server> "sudo /usr/sbin/tcpdump -s0 -i eth0 -n -U -w - not port 22" | tshark -r -
I would like to use sshdump because it is a Wireshark builtin. Compare the commands I am using below to the recommended command on the man page: sshdump --extcap-interface=sshdump --fifo=/tmp/ssh.pcap --capture --remote-host 192.168.1.10
--remote-username user --remote-filter "not port 22" This is my debug info (containing similar commands):
Macos
** (process:85808): DEBUG: cmdline: /Users/rj/code/wireshark/cmake/run/Wireshark.app/Contents/MacOS/extcap/sshdump --extcap-interface=sshdump --remote-host <my server> --remote-port 22 --remote-username rj --sshkey <path to sshkey> --sshkey-passphrase <my passphrase> --fifo /tmp/ssh.pcap --remote-sudo yes --remote-filter not port 22 --debug
** (process:85810): DEBUG: You should not come here... maybe some parameter missing?
Windows
** (sshdump.exe:368): DEBUG: cmdline: C:\Program Files\Wireshark\sshdump.exe --extcap-interface=sshdump --remote-host <my server> --remote-port 22 --remote-username rj --sshkey <path to sshkey> --sshkey-passphrase <my passphrase> --fifo C:\Users\rj\AppData\Local/ssh.pcap --remote-sudo yes --remote-filter not port 22 --debug
** (sshdump.exe:368): DEBUG: You should not come here... maybe some parameter missing?
Questions
- Is there anything obvious that I am doing wrong?
- How should I troubleshoot this?
- Is sshdump recommended or should I just use ssh and tcpdump (whose combination work on both machines)?
