Use SSH to pipe tcpdump into wireshark with "command" in authorized_keys

Question

we want to enable real-time network tracing for Application Testing.

We want to grant as little permissions/rights on the remote host that will run tcpdump.

So i tried to setup an authorized key that is used for login.

command="sudo tcpdump -n -i eth0 -s 65535 -w -" ssh-rsa AAAAB3NzaC....

When i connect from the client machine and use

ssh -i private.key user@10.10.254.200 | wireshark -S -k -i -

Wireshark complains and says "unrecognzied pcap format"

When we instead run

 ssh -i private.key user@10.10.254.200 "tcpdump -i eth0 -w -" | wireshark -S -k -i -

and remove the command="..." from authorized keys it works!

What is the difference of these two variants? if i remove the "| wireshark..." in both cases i see binary data comming towards me in the terminal...

In case there is a difference that will make this impossible in any case, do you guys know a way where the command can somehow be pre-defined on server side?

As i tried to explain in the beginning, the client machines that run wireshark shall be as restricted as possible.

Thanks for your help!

Jakuje · Accepted Answer · 2015-09-11T06:41:37.513

0

In the first case it is normal ssh session with pseudo-terminal.

If you want just the data (without terminal control characters and stuff like that), you should try ssh with -T switch.

The other solution how to achieve the same behaviour is to put no-pty next to the command in authorized_keys file (thanks @mykel):

command="sudo tcpdump -n -i eth0 -s 65535 -w -",no-pty ssh-rsa AAAAB3NzaC....

edited Sep 11 '15 at 06:41

answered Sep 10 '15 at 14:27

Jakuje

10,032
5
33
34

@aslmx you are welcome. Marking as an answer would help – Jakuje Sep 10 '15 at 15:23
1

You could also achieve this by adding the `no-pty` option into the `authorized_keys` file. – mykel Sep 11 '15 at 04:09

Use SSH to pipe tcpdump into wireshark with "command" in authorized_keys

1 Answers1