• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Pfsense / BSD pipe tcpdump over ssh

Scheduled Pinned Locked Moved General pfSense Questions
9 Posts 4 Posters 3.8k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • R
    rfinterference
    last edited by May 30, 2013, 5:38 PM

    Hello,

    I am trying to pipe tcpdump over ssh to my nix laptop running wireshark. The first problem I had was the console coming up when I used the admin account so I created a new user via the user manager. My new user was able to ssh in but could not run tcpdump so I added the new user to the wheel group. I can elevate this user from su - but when I run su tcpdump I get a response of "su Sorry". I wish I was better with BSD but everything I find online and running the command groups username this should be working. This is the command I am trying to use:

    ssh user@XXX.XXX.XXX.XXX su tcpdump -U -w - 'not port 22' | wireshark -k -i -

    Thanks in advance
    rfi

    1 Reply Last reply Reply Quote 0
    • W
      wallabybob
      last edited by May 30, 2013, 8:50 PM

      @rfinterference:

      ssh user@XXX.XXX.XXX.XXX su tcpdump -U -w - 'not port 22' | wireshark -k -i -

      su is not sudo and sudo is not present in pfSense.
      You need to give the remote system two commands:
      1. su to switch to super user mode
      2. tcpdump to get the packet capture.

      I don't know how you would get the two commands to the remote session: maybe you need to dump a shell script on the remote system and start that.

      1 Reply Last reply Reply Quote 0
      • S
        stephenw10 Netgate Administrator
        last edited by May 30, 2013, 9:13 PM

        Just use root to avoid the menu?  :-\

        Steve

        1 Reply Last reply Reply Quote 0
        • R
          rfinterference
          last edited by May 31, 2013, 1:13 PM

          Root and admin  both start with the console.

          1 Reply Last reply Reply Quote 0
          • S
            stephenw10 Netgate Administrator
            last edited by May 31, 2013, 1:40 PM

            You can usually use services such as SCP using root to avoid the console menu issue. The admin account cannot be used for that.
            Have you actually tried using root?

            Steve

            1 Reply Last reply Reply Quote 0
            • R
              rfinterference
              last edited by May 31, 2013, 2:00 PM

              Yes I tried using root but just as with the admin account it goes to the console. I took another guys advice and tried to script it but su - or su root completely breaks the script.

              1 Reply Last reply Reply Quote 0
              • R
                rfinterference
                last edited by May 31, 2013, 3:49 PM

                I am trying to script this using expect currently. Hopefully this will work.

                1 Reply Last reply Reply Quote 0
                • J
                  jimp Rebel Alliance Developer Netgate
                  last edited by Jun 3, 2013, 3:14 PM Jun 3, 2013, 3:12 PM

                  I've done that before, using root and ssh keys. I cover the technique in the book in the packet capturing chapter.

                  wireshark -k -i <(ssh root@192.168.x.x tcpdump -i em0 -U -w - not tcp port 22)
                  

                  Using su would really break that. If you must use an alternate account, you'll need to install sudo on the firewall and set it to allow at least tcpdump to run without a password for your user/group.

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • R
                    rfinterference
                    last edited by Jun 4, 2013, 2:48 AM

                    Thanks everyone that replied. I had looked into installing sudo but decided I didn't want to take the chance on breaking anything with the production machine.

                    In case anyone is interested the solution I used "fastest implementation" was to put taps in place on both sides of the pfsense box with a tiny linux computer connected to both taps and the lan. Now I can troubleshoot till my eyes bleed.

                    Best Regards
                    rfi

                    1 Reply Last reply Reply Quote 0
                    1 out of 9
                    • First post
                      1/9
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received