Capture packets via remote tcpdump using SSH and display in local Wireshark client (Windows batch file)
@echo off | |
rem Figure out path to plink.exe | |
set putty_dir_key="HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PuTTY_is1" | |
for /f "tokens=3*" %%x in ('reg query %putty_dir_key% /v "InstallLocation"') do set putty_dir=%%x %%y | |
if not defined putty_dir ( | |
echo Please install PuTTY using Windows installer from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html | |
exit /b 1 | |
) | |
set plink="%putty_dir%\plink.exe" | |
rem Figure out path to wireshark.exe | |
set wireshark_dir_key="HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark" | |
for /f "tokens=3*" %%x in ('reg query %wireshark_dir_key% /v "InstallLocation"') do set wireshark_dir=%%x %%y | |
if not defined wireshark_dir ( | |
echo Please install Wireshark using Windows installer from https://www.wireshark.org/download.html | |
exit /b 1 | |
) | |
set wireshark="%wireshark_dir%\Wireshark.exe" | |
rem Ask for hostname if not specified as first parameter | |
set host=%1 | |
if not defined host set /p host= What SSH host do you want to capture from? | |
rem Ask for interface if not specified as second parameter | |
set iface=%2 | |
if not defined iface ( | |
%plink% root@%host% tcpdump -D | |
set /p iface= What interface do you want to capture from? | |
) | |
rem Default to a sensible pattern if not specified as the third parameter | |
set pattern=%3 | |
if not defined pattern ( | |
if "%iface%" == "eth0" set pattern="not host %host% and not port 22" | |
if "%iface%" == "any" set pattern="not host %host% and not port 22" | |
) | |
rem Run tcpdump with output to pipe and read pipe from wireshark | |
%plink% root@%host% tcpdump -U -i %iface% -s0 -w - %pattern% | %wireshark% -k -i - |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This comment has been minimized.
molotsnk commentedApr 15, 2018
thanks!