Hi Thanks in advance. asked 14 May '16, 19:21  Carlos Lopez edited 15 May '16, 06:19 |
One Answer:
Okay, so we have two points to address:
The first one is easy: you use one instance of plink to log in to machine1 and set up a tunnel through that ssh session from your Windows machine's local tcp port to machine2's tcp port 22 the following way:
This will open a new command line window for that instance of plink but won't prevent the script from continuing further. You can get rid of that extra window by using a On the next line of the batch, you start the plink as you did, except that you specify the socket on your local machine as the server:
The second part is a bit of a headache. I've asked you on purpose whether you've already used a named pipe. The trouble is that you cannot feed Wireshark with two distinct streams through the (single) standard input (using But while on linux it is possible to create and feed a named pipe from the command line, it seems not to be the case at Windows, so unless you'll find a ready-made solution, you'll need to write a piece of code in order to be able to set up the named pipes and feed them with the data output by the plink. So your command line options to Wireshark would be So instead of using
And the last point is that despite what the Wiki says, Wireshark only accepts pcap (i.e. not pcapng) data format through stdin or named pipes, so depending on your tcpdump version, you may need to use the right option to make it output pcap. This excludes capturing on more than one interface by the same instance of tcpdump, i.e. in a generic case you'd need one tcpdump instance and named pipe per each source interface. answered 15 May '16, 14:32  sindy edited 15 May '16, 21:55 Thanks Sindy, I will read your answer carefully, and will try to put it into practice. I may come back if you don't mind with another question related to this. Thanks. (16 May '16, 16:05) Carlos Lopez |
There are actually several things to deal with. If you need live captures, your main issue will be to make Wireshark capture from two pipes simultaneously. If you don't need live captures, it should be enough to save the capture output to files on the source machines, download the files, and merge them together on your Windows machine.
You may want to use the tunnelling capability of ssh to deliver the captured data from machines 2 and 3 to your Windows PC; if you have root rights at 2 and 3, you can make their local tcp port represent one at your PC, so whatever you send to localhost:X at machine2 will come to localhost:Y at your PC.
If you need more information, please specify more details about the whole arrangement.
Sindy.
Yes I need live captures of the two machines simultaneously (if possible) to be seen on my local machine on one instance of wireshark. I have root rights on machines 1, 2 and 3. Can you help me to set up the tunneling to achieve this?. I have used plink before to do this but only towards machine1, but now I need it towards 2,3 but the only access I have to reach 2 and 3 is through machine 1.
Thanks.
Do I get you right that you have already been using plink to capture remotely on a single linux machine and feed the output to Wireshark running on a Windows machine? So this part would be out of question? If so, were you also using a named pipe on Windows as part of that arrangement?
That is correct.
This is what I have in a .bat file
cd c:\
"Program Files (x86)/PuTTY/plink.exe" -ssh -pw root [email protected] "tcpdump -i eth1 -s 0 -U -n -w - 'tcp port not 22'" | "/wireshark/wireshark.exe" -k -i -
where 10.10.10.1 is machine 1
The previous .bat file opens wireshark and after a few seconds I can see the packets being captured. What I need is through machine1 do something similar towards 2 and 3.
192.168.0.2 is machine2 192.168.0.3 is machine3 Thanks