Remote Packet Capture



  • I know that remote packet capturing (realtime capture of a remote tcpdump with Wireshark) can be done with Linux and I've done that before.  Is it also supported with FreeBSD?  I'm guessing it is.  If so does the pfSense install have everything needed?  Guessing it does but would just like to verify before spending time attempting to make something work that is not going to.

    As a bonus if someone has the tcpdump command line handy for setting up the remote capture that would be great not having to start from scratch.



  • Well here it is…

    
    "C:\Program Files (x86)\PuTTY\plink.exe" -ssh -pw password root@pfSense.localdomain tcpdump -n -nn -s 0 -U -w - -i bfe0 vlan 99 and icmp | "C:\Program Files\Wireshark\wireshark.exe" -i - -k
    
    

    or if target systems ssh is configured for key authentication, replace password with i option and key file

    
    "C:\Program Files (x86)\PuTTY\plink.exe" -ssh -i "C:\Program Files (x86)\WinSCP\Keys\pfSense\id_rsa_4096_SSH_Private_Key.ppk" root@pfSense.localdomain tcpdump -n -nn -s 0 -U -w - -i bfe0 vlan 99 and icmp | "C:\Program Files\Wireshark\wireshark.exe" -i - -k
    
    

    Replace paths, login name, domain name, network interface, filter expression, etc. as appropriate.

    To prevent tcpdump from putting the network interface into promiscuous mode add the -p option.



  • @NOYB:

    I know that remote packet capturing (realtime capture of a remote tcpdump with Wireshark) can be done with Linux and I've done that before.  Is it also supported with FreeBSD?  I'm guessing it is.  If so does the pfSense install have everything needed?  Guessing it does but would just like to verify before spending time attempting to make something work that is not going to.

    As a bonus if someone has the tcpdump command line handy for setting up the remote capture that would be great not having to start from scratch.

    I'm not sure I'd feed it into wireshark directly. Lots of corner cases can appear that way. Why not save pcaps, and then load those directly into wireshark?

    Bro with Timemachine (not AAPL's) and I think Vortex will both capture pcaps for replay.

    Even easier (but not secure), mount a remote file system and tcpdump to it.



  • @fatsailor:

    I'm not sure I'd feed it into wireshark directly. Lots of corner cases can appear that way.

    Such as?  Examples?

    @fatsailor:

    Why not save pcaps, and then load those directly into wireshark?

    Bro with Timemachine (not AAPL's) and I think Vortex will both capture pcaps for replay.

    Even easier (but not secure), mount a remote file system and tcpdump to it.

    Not realtime/live packet captures.  See what's happening as it happens.

    As for easy.  This is pretty easy.  Just install puTTY (plink), build a few command lines in a text editor for common capture filters, and paste as needed in to a command shell.  Poof Wireshark is live capturing the pfSense interface of your choice.



  • I am trying to use your command line script:

    "c:\wireshark\plink.exe" -ssh -pw pword root@pfSense.localhost tcpdump -n -nn -s 0 -U -w - -i em1 vlan 99 and icmp | "C:\Program Files\Wireshark\wireshark.exe" -i - -k -p

    Modified to my needs of course, and it starts to work, it opens wireshark and asked me if the connection was secure and then nothing comes through into wireshark, it just sits there idle.

    I have tried promiscuous and non promiscuous modes.

    Any suggestions?



  • That would indicate that the SSH tunnel is not getting established.

    Verify the authentication method (key and/or password) and the user credentials being used.

    Also verify the pfSense machine's address being used is correct.

    Also verify the plink.exe path is correct and that plink is working.



  • I've been told it is being worked on to handle this within Wireshark.
    That would be awesome.  Hope it's true and arrives soon.  Stay tuned.

    SSH Remote Capture TCPdump
    https://ask.wireshark.org/questions/58696/ssh-remote-capture-tcpdump



  • Just installed Wireshark 2.2.3 and it has the SSH remote capture interface.  But can't establish the SSH connection due no match for method kex algos.

    ![SSH Remote Capture - Settings.jpg](/public/imported_attachments/1/SSH Remote Capture - Settings.jpg)
    ![SSH Remote Capture - Settings.jpg_thumb](/public/imported_attachments/1/SSH Remote Capture - Settings.jpg_thumb)
    ![SSH Remote Capture - Error.jpg](/public/imported_attachments/1/SSH Remote Capture - Error.jpg)
    ![SSH Remote Capture - Error.jpg_thumb](/public/imported_attachments/1/SSH Remote Capture - Error.jpg_thumb)



  • Experimenting with the new Wireshark SSH remote capture interface.  It's there but not really usable yet.  Some show stopper bugs that appear to still being workout and some fixes that have not been included in the latest stable release (2.2.3).

    1. The GUI won't accept an SSH key path.
    2. Sends options for remote binary dumpcap when specifying tcpdump.  The -f option has different meaning for tcpdump.
    3. No means of specifying options for the remote binary command.
    4. Captures a few packets and then prematurely stops capturing.
    5. kex algorithm mismatch between Wireshark SSH client and pfSense SSHd.

    The default remote binary is dumpcap.  From what I gleaned from bug reports it sounds like dumpcap is preferred over tcpdump due to some security issues with tcpdump being run with full privileges.

    Unfortunately it does not appear dumpcap has been compiled for FreeBSD.  At least not that I could find.  Would be nice if someone could compile and get it included in the FreeBSD ports/packages or wherever appropriate and included in pfSense build.

    In the meantime for experimenting I've been using a dumpcap script to translate to tcpdump.

    
    #/bin/sh
    echo $0 >/var/dumpcap.txt
    echo $1 >>/var/dumpcap.txt
    echo $2 >>/var/dumpcap.txt
    echo $3 >>/var/dumpcap.txt
    echo $4 >>/var/dumpcap.txt
    echo $5 >>/var/dumpcap.txt
    echo $6 >>/var/dumpcap.txt
    echo $7 >>/var/dumpcap.txt
    
    #/var/dumpcap
    #-i em1 -w - -f not port 22
    
    #/usr/sbin/tcpdump -p -n -nn -s 0 -U -w - -i em0 not port 22
    #/usr/sbin/tcpdump -p -n -nn -s 0 -U -w - $3 $4 $6
     /usr/sbin/tcpdump -p -n -nn -s 0 -U $1 $2 $3 $4 $6
    
    

    Once it all gets ironed out this should be much nicer than using command line to third party SSH app and pipe to Wireshark.  Basically doing the same thing, just providing a GUI frontend within Wireshark.



  • @flagcc:

    Modified to my needs of course, and it starts to work, it opens wireshark and asked me if the connection was secure and then nothing comes through into wireshark, it just sits there idle.

    I have tried promiscuous and non promiscuous modes.

    Any suggestions?

    Reason:
    Connecting using user "root" or "admin" will end up in a CLI-Menu but no shell.
    Thus and tcpdump cannot start and you will see nothing.

    Solution:
    Start like this:

    (echo 8) | plink root@pfsense tcpdump -n -s 0 -nn -U -w - -i em0  icmp | wireshark -i - -k
    

    "( echo 8 )" will type "8" for you in order to exit from the menu to the shell (at time of writing).

    After that I assume wireshark is working properly.



  • I have toyed a bit with this , and here is a working solution wo. to much "no..no"

    
    ********* Works wo sudo hack on linux **************
    
    Only first time (ever) - to make ssh work wo. asking for passwd
    ssh-keygen
    ssh-copy-id user@pfsense-fw
    
    If sudo is installed on pfsense
    ----------------------------------
    remote:~$ mkfifo /tmp/pcap
    remote:~$ sudo tcpdump -iigb1 -U -s0 -w - 'not port 22' > /tmp/pcap
    
    If sudo is not installed on pfsense
    ------------------------------------
    ssh to pfsense as root/admin , enter 8 for shell
    
    remote:~# mkfifo /tmp/pcap
    remote:~# tcpdump -iigb1 -U -s0 -w - 'not port 22' > /tmp/pcap
    
    and send the data by a separate connection:
    
    local:~$ mkfifo /tmp/pcap
    local:~$ ssh user@pfsense-fw "cat /tmp/pcap" > /tmp/pcap
    
    and finally start Wireshark
    
    local:~$ sudo wireshark -k -i /tmp/pcap
    
    ********************* end ***************
    
    

    I do have this one liner working
    As local root (due to wireshark needs root)

    
    local:# ssh user@pfsense-fw sudo tcpdump -iigb1 -U -s0 -w - 'not port 22' | wireshark -k -i -
    
    

    But it requires sudo to be installed on pfsense

    
    https://www.cyberciti.biz/faq/how-to-add-delete-grant-sudo-privileges-to-users-on-freebsd-unix-server/
    
    install
    pkg install security/sudo
    
    

    And some "nasty" visudo things, that would get a "security officer/revision" to get "Red Ears" ….

    I could prob lock it down to just work with tcpdump , but for now it's allowing my local user to sudo anything wo even asking for a pwd. Provided he's a member of the admin group.

    Have fun "Sharking"

    Ps:
    Most of this nasty stuff would prob not be needed of we could get a way to ssh into pfsense as root , wo. hitting the "menu".
    Or if we could ssh into pfsense w. a user that was allowed to run tcpdump on an interface.

    /Bingo


Log in to reply