2

I am trying to capture remote host traffic via jumphost from a Windows machine and display in Wireshark.

When PUTTY GUI is used and configured as below

  1. Created and saved SSH session (bastion-host) for the jumphost
    • Connection --> Data --> Auto-login username configured
    • Connection --> SSH --> Auth --> jumphost private Key file for authentication configured
  2. Created and saved another SSH session (target-host), where traffic capture will happen
    • Connection --> Data --> Auto-login username configured
    • Connection --> Proxy --> Proxy hostname configured as proxy and port 22
    • Connection --> Proxy --> Telnet command or local proxy command as plink "bastion-host" -agent -nc %host:%port
    • Connection --> SSH --> Remote command as "sudo tcpdump -i ens5 -w - not port 22"
    • Connection --> SSH --> Auth --> target-host private Key file for authentication configured
  3. Load and open saved session (target-host)

Result is

  1. I can see traffic being captured and displayed on windows PUTTY terminal.
  2. And "tcpdump" is actually executed on target-host.

At this stage, I don't know how to redirect this to Wireshark.

Next and this is what I am trying to achieve, execute above setup via command line. Below is the complete command 

plink.exe -proxycmd "putty.exe -ssh <username>@<jumphost-address> -i <private-key-file> -agent -nc <target-host>:22" -ssh <target-username>@<target-host> -i <target-private-key> "sudo tcpdump -ni ens5 -s 0 -w - not port 22" | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -

Wireshark pops up but no traffic captured as I can't see "tcpdump" command getting executed on .

To confirm plink works, I tested similar command on a directly accessible host and everything works. Wireshark pops up with live traffic capture.

plink.exe -ssh -pw <password> <username>@<my-host> "/usr/sbin/tcpdump -ni ens192 -s 0 -w - not port 22" | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -

So, I reckon something is wrong with the way I am using plink command. Appreciate if someone can help me to rectify it.

Thanks

OS: Windows 7 Enterprise, 64 bit

PUTTY: Release 0.70

rawat
  • 43
  • 1
  • 6
  • This [answer](https://superuser.com/questions/1369012/remote-ssh-tcpdump-command-through-a-gateway-to-be-opened-in-realtime-in-wir) worked for me. – rawat Apr 08 '19 at 04:44

1 Answers1

1

Answer posted at this post hint for correct command worked for me.

My final command is

plink -proxycmd "plink <username>@<jumphost-address> -i <private-key-file> -nc <target-host>:22" <target-username>@<target-host> -i <target-private-key> "sudo tcpdump -ni ens5 -s 0 -w - not port 22" | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -
rawat
  • 43
  • 1
  • 6