dump traffic from fortigate firewall over ssh

fgtdump.sh

#!/usr/bin/env bash
# 
# ssh to fortigate firewall and output pcap data to stdout or tcpdump (if terminal is the output)
# needs wirehark tool text2pcap and tcpdump installed 
#

shopt -s nocasematch
#set -u # nounset
set -e # errexit
set -E # errtrap
set -o pipefail

function help {
echo '  -a string'
echo '        address of Fortigate'
echo '  -c number'
echo '        sniff until the packet count is reached (default 50)'
echo '        set to 0 for continous capture'
echo '  -d string'
echo '        vdom'
echo '  -f string'
echo '        packet filter using fortigate filtering syntax.'
echo '        For example, to print UDP 1812 traffic between forti1 and either forti2 or forti3:'
echo '        '"'"'udp and port 1812 and host forti1 and ( forti2 or forti3 )'"'"' (default "ip")'
echo '  -i string'
echo '        fortigate interface to sniff.'
echo '  -p string'
echo '        remote port (default "22")'
echo '  -u string'
echo '        ssh username'
echo '  -s number'
echo '        capture number of bytes of data from each packet. defaults to interface MTU'
}

#check dependencies
if [ ! -f $(which text2pcap) ]
then
        echo "text2pcap not in path, install wireshark"
        exit 1
fi
if [ ! -f $(which tcpdump) ]
then
        echo "tcpdump not in path, install tcpdump"
        exit 1
fi

#Parse arguments
while [[ "$#" -gt 0 ]]
do
key="$1"

case $key in
    -a)
    address="$2"
    shift # past argument
    shift # past value
    ;;
    -c)
    count="$2"
    shift # past argument
    shift # past value
    ;;
    -d)
    vdom="$2"
    shift # past argument
    shift # past value
    ;;
    -f)
    filter="'""$2""'"
    shift # past argument
    shift # past value
    ;;
    -i)
    interface="$2"
    shift # past argument
    shift # past value
    ;;
    -p)
    sshport="$2"
    shift # past argument
    shift # past value
    ;;
    -u)
    sshuser="$2"
    shift # past argument
    shift # past value
    ;;
    -s)
    snaplen="$2"
    shift # past argument
    shift # past value
    ;;
esac
done

if [[ -z "$address" ]]; then
    echo "no address specified"
    help
    exit 1
fi
if [[ -z "$interface" ]]; then
    echo "no interface specified"
    help
    exit 1
fi

#set defaults
if [[ -z "$count" ]]; then
    count="50"
fi

if [[ -z "$filter" ]]; then
    filter="'""ip""'"
fi

if [[ -z "$snaplen" ]]; then
    timesnap="l"
else
    timesnap="l ${snaplen}"
fi

#buold ssh command
sshcmd="ssh"
if [[ -n "$sshport" ]]; then
    sshcmd+=" -p ${sshport}"
fi
if [[ -n "$sshuser" ]]; then
    sshcmd+=" -l $sshuser"
fi
sshcmd+=" ${address}"

if [[ "$vdom" ]]; then
fgtcmd=$(cat << EOF
config vdom
edit $vdom
diagnose sniffer packet ${interface} ${filter} 3 ${count} ${timesnap}
EOF
)
else
fgtcmd=$(cat << EOF
diagnose sniffer packet ${interface} ${filter} 3 ${count} ${timesnap}
EOF
)
fi

#if terminal is stdout pipe to tcpdump, otherwise pipe to stdout
if [ -t 1 ]; then
    outcmd="tcpdump -ttttnnr -"
else
    outcmd="cat -"
fi

#execute ssh, format to text2pcap compatible input, run text2pcap on the text and
#pipe to tcpdump for pretty format or stdout if its not terminal.
LC_ALL=C $sshcmd "$fgtcmd" | \
LC_ALL=C sed -e '/\# / s/^[^#]*\#\ //' | \
LC_ALL=C sed -n '/^[0-9]\|^$/p' | \
LC_ALL=C sed -e 's/\ \([0-9a-fA-F]\{2\}\)\([0-9a-fA-F]\{2\}\)\ /\ \1\ \2\ /g' | \
LC_ALL=C sed -e 's/\ \([0-9a-fA-F]\{2\}\)\([0-9a-fA-F]\{2\}\)\ /\ \1\ \2\ /g' | \
LC_ALL=C sed -e 's/\ \([0-9a-fA-F]\{2\}\)\([0-9a-fA-F]\{2\}\)\t/\ \1\ \2\ \t/g' | \
LC_ALL=C sed -e 's/^0x/00/' | \
LC_ALL=C sed -e 's/\(^[0-9]\{4\}\-[0-9]\{2\}\-[0-9]\{2\}\ [0-9]\{2\}:[0-9]\{2\}:[0-9]\{2\}\.[0-9]\{6\}\ \).*/\1/' | \
LC_ALL=C text2pcap -q -t "%Y-%m-%d %H:%M:%S." - - | \
LC_ALL=C $outcmd