Pfsense / BSD pipe tcpdump over ssh

rfinterference · May 30, 2013, 5:38 PM

Hello,

I am trying to pipe tcpdump over ssh to my nix laptop running wireshark. The first problem I had was the console coming up when I used the admin account so I created a new user via the user manager. My new user was able to ssh in but could not run tcpdump so I added the new user to the wheel group. I can elevate this user from su - but when I run su tcpdump I get a response of "su Sorry". I wish I was better with BSD but everything I find online and running the command groups username this should be working. This is the command I am trying to use:

ssh user@XXX.XXX.XXX.XXX su tcpdump -U -w - 'not port 22' | wireshark -k -i -

Thanks in advance
rfi

wallabybob · May 30, 2013, 8:50 PM

@rfinterference:

ssh user@XXX.XXX.XXX.XXX su tcpdump -U -w - 'not port 22' | wireshark -k -i -

su is not sudo and sudo is not present in pfSense.
You need to give the remote system two commands:
1. su to switch to super user mode
2. tcpdump to get the packet capture.

I don't know how you would get the two commands to the remote session: maybe you need to dump a shell script on the remote system and start that.

stephenw10 · May 30, 2013, 9:13 PM

Just use root to avoid the menu? :-\

Steve

rfinterference · May 31, 2013, 1:13 PM

Root and admin both start with the console.

stephenw10 · May 31, 2013, 1:40 PM

You can usually use services such as SCP using root to avoid the console menu issue. The admin account cannot be used for that.
Have you actually tried using root?

Steve

rfinterference · May 31, 2013, 2:00 PM

Yes I tried using root but just as with the admin account it goes to the console. I took another guys advice and tried to script it but su - or su root completely breaks the script.

rfinterference · May 31, 2013, 3:49 PM

I am trying to script this using expect currently. Hopefully this will work.

jimp · Jun 3, 2013, 3:14 PM

I've done that before, using root and ssh keys. I cover the technique in the book in the packet capturing chapter.

wireshark -k -i <(ssh root@192.168.x.x tcpdump -i em0 -U -w - not tcp port 22)

Using su would really break that. If you must use an alternate account, you'll need to install sudo on the firewall and set it to allow at least tcpdump to run without a password for your user/group.

rfinterference · Jun 4, 2013, 2:48 AM

Thanks everyone that replied. I had looked into installing sudo but decided I didn't want to take the chance on breaking anything with the production machine.

In case anyone is interested the solution I used "fastest implementation" was to put taps in place on both sides of the pfsense box with a tiny linux computer connected to both taps and the lan. Now I can troubleshoot till my eyes bleed.

Best Regards
rfi