Ssh – Piping tcpdump traffic via SSH – but no root ssh access

centossshsudotcpdump

The situation

I would like to use Wireshark to analyze traffic on one of our servers, but I don't want to install Wireshark on the server itself. I understand that I can pipe tcpdump traffic via SSH to my local machine (Ubuntu) which has Wireshark installed.

The problem

I cannot login to the server with a root account because that is disabled. I have sudo rights, but when logged in to the server the command sudo tcpdump does not work. The command below (with or without sudo) won't work:

$ ssh john@server-abc.com "sudo tcpdump -s 0 -U -n -w - -i eth0 not port 22" > /tmp/remote

The question

Is there a way to get this working? If so – how?

Best Answer

You can run this command via sudo on the server to capture the data first, and then send the resulting file back to your workstation to review the data

sudo tcpdump -i eth0 -s 65535 -w /tmp/wireshark

Related Solutions

SSH session through jumphost via remote port forwarding

It looks like you should be using local port-forwarding instead of remote port-forwarding. You may want to refer to the following helpful blog post by Dirk Loss:

SSH port forwarding visualized

It includes the following illustrative diagram:

In order to read the diagram you need to know that it describes the relationships between 4 different roles involved in creating and utilizing an SSH tunnel:

an ssh client (i.e. ssh - the OpenSSH command-line client) used to establish the tunnel;
an ssh server (i.e. sshd - the OpenSSH server daemon) used to maintain the other end of the tunnel;
an application server (e.g. another ssh server or an http server);
an application client (e.g. another ssh client or a web-browser) which wants to access the application server via the tunnel.

It's also important to understand that the two different types of forwarding correspond to two different use cases:

Local Forwarding: where the application client connects via the ssh client
Remote Forwarding: where the application client connects via the ssh server

Remote forwarding is so called because the forwarding is performed remotely (at the ssh server) rather than locally (at the ssh client). I also find "remote forwarding = reverse forwarding" to be a useful mnemonic.

So as you can see, in order to initiate a connection from an ssh client at the origin host through an sshd server on a proxy jumphost to a third target host you would have to use local port-forwarding. Remote port-forwarding is for the case in which you want the entry point to the tunnel to be located at the host running the sshd server rather than at the host running the ssh client.

In the man page the local port-forwarding syntax is written as follows:

ssh -L [bind_address:]port:host:hostport user@remote

This can be written more intuitively as the following:

ssh -L [local_bind_address:]local_port:remote_host:remote_host_port user@proxy_host

Or, using your naming conventions:

ssh -L [origin_bind_address:]origin_port:target_host:target_host_port user@jump_host

If we modify your command to use local port-forwarding instead then we end up with the following:

user@origin:~$ ssh -L *:1234:target:22 myusername@jumphost

SSH port forwarding: “Privileged ports can only be forwarded by root” error

You probably want

ssh -L 8080:127.0.0.1:80 -N -f myserver

Local port comes first. (That's not my political stance!)

Best Answer

Related Solutions

SSH session through jumphost via remote port forwarding

SSH port forwarding: “Privileged ports can only be forwarded by root” error

Related Question