How to remotely capture traffic across multiple SSH hops?

Question

I want to debug another machine on my network but have to pass through one or more SSH tunnels to get there.

Currently:

    # SSH into one machine
    ssh -p 22 me@some_ip -i ~/.ssh/00_id_rsa

    # From there, SSH into the target machine
    # Note that this private key lives on this machine
    ssh -p 1234 root@another_ip -i ~/.ssh/01_id_rsa

    # Capture debug traffic on the target machine
    tcpdump -n -i eth0 -vvv -s 0 -XX -w tcpdump.pcap

But then it's a pain to successively copy that .pcap out. Is there a way to write the pcap directly to my local machine, where I have wireshark installed?

Answer 1

You should use ProxyCommand to chain ssh hosts and to pipe output of tcpdump directly into wireshark. To achieve that you should create the following ssh config file:

Host some_ip
  IdentityFile ~/.ssh/00_id_rsa

Host another_ip
  Port 1234
  ProxyCommand ssh -o 'ForwardAgent yes' some_ip 'ssh-add ~/.ssh/01_id_rsa && nc %h %p'

I tested this with full paths, so be carefull with ~

To see the live capture you should use something like

ssh another_ip "tcpdump -s0 -U -n -w - -i eth0 'not port 1234'" | wireshark -k -i -

If you want to just dump pcap localy, you can redirect stdout to filename of your choice.

ssh another_ip "tcpdump -n -i eth0 -vvv -s 0 -XX -w -" > tcpdump.pcap

See also:

• https://serverfault.com/questions/337274/ssh-from-a-through-b-to-c-using-private-key-on-b
• https://serverfault.com/questions/503162/locally-examine-network-traffic-of-remote-machine/503380#503380
• How can I have tcpdump write to file and standard output the appropriate data?