{"id":614,"date":"2016-03-16T22:55:41","date_gmt":"2016-03-17T04:55:41","guid":{"rendered":"http:\/\/blog.escarra.org\/?p=614"},"modified":"2016-03-16T22:55:41","modified_gmt":"2016-03-17T04:55:41","slug":"remote-wireshark-capture-for-sophos-utm-over-ssh","status":"publish","type":"post","link":"https:\/\/blog.escarra.org\/?p=614","title":{"rendered":"Remote Wireshark capture for Sophos UTM over SSH"},"content":{"rendered":"<p>Sophos UTM v9 comes with the tcpdump utility, which lets you run packet captures from the shell. This is great and all, but in order to look at those pcaps with Wireshark, you need to pipe to a file, copy the file, then run Wireshark against it. Annoying. All of it.<\/p>\n<p>What if we could remotely capture packets over an SSH tunnel? YES&#8230; turns out it&#8217;s a bit tricky if you&#8217;re on Windows, and the authentication piece to get root access without having to do the loginuser first. How? Keep reading&#8230;<\/p>\n<p>First, the necessary ingredients:<\/p>\n<ul>\n<li>Sophos UTM<\/li>\n<li>Wireshark (or your favorite pcap application)<\/li>\n<li>Putty suite (specifically Plink and PuttyGen)<\/li>\n<\/ul>\n<p>To start, we&#8217;ll need to enable Shell Access, with public key authentication, and with Root access but only with SSH key.<\/p>\n<p><img data-attachment-id=\"615\" data-permalink=\"https:\/\/blog.escarra.org\/?attachment_id=615\" data-orig-file=\"https:\/\/blog.escarra.org\/wp-content\/uploads\/2016\/03\/2016-03-16-15_10_50.png\" data-orig-size=\"335,212\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"2016-03-16 15_10_50\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/blog.escarra.org\/wp-content\/uploads\/2016\/03\/2016-03-16-15_10_50-300x190.png\" data-large-file=\"https:\/\/blog.escarra.org\/wp-content\/uploads\/2016\/03\/2016-03-16-15_10_50.png\" decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-615 size-full\" src=\"http:\/\/blog.escarra.org\/wp-content\/uploads\/2016\/03\/2016-03-16-15_10_50.png\" alt=\"2016-03-16 15_10_50\" width=\"335\" height=\"212\" srcset=\"https:\/\/blog.escarra.org\/wp-content\/uploads\/2016\/03\/2016-03-16-15_10_50.png 335w, https:\/\/blog.escarra.org\/wp-content\/uploads\/2016\/03\/2016-03-16-15_10_50-300x190.png 300w\" sizes=\"(max-width: 335px) 100vw, 335px\" \/><\/p>\n<p>We need to use PuttyGen to generate the key pair we&#8217;ll use for root authentication, so open it,\u00a0<strong>Generate<\/strong> the key, then copy the Public Key into the\u00a0<strong>Authorized Keys for root<\/strong> in the UTM, apply and save&#8230; and also\u00a0<strong>Save private key<\/strong> to somewhere you&#8217;ll remember. We&#8217;ll need this for Plink.<\/p>\n<p><img data-attachment-id=\"616\" data-permalink=\"https:\/\/blog.escarra.org\/?attachment_id=616\" data-orig-file=\"https:\/\/blog.escarra.org\/wp-content\/uploads\/2016\/03\/2016-03-16-15_10_08.png\" data-orig-size=\"479,466\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"2016-03-16 15_10_08\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/blog.escarra.org\/wp-content\/uploads\/2016\/03\/2016-03-16-15_10_08-300x292.png\" data-large-file=\"https:\/\/blog.escarra.org\/wp-content\/uploads\/2016\/03\/2016-03-16-15_10_08.png\" decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-616 size-full\" src=\"http:\/\/blog.escarra.org\/wp-content\/uploads\/2016\/03\/2016-03-16-15_10_08.png\" alt=\"2016-03-16 15_10_08\" width=\"479\" height=\"466\" srcset=\"https:\/\/blog.escarra.org\/wp-content\/uploads\/2016\/03\/2016-03-16-15_10_08.png 479w, https:\/\/blog.escarra.org\/wp-content\/uploads\/2016\/03\/2016-03-16-15_10_08-300x292.png 300w\" sizes=\"(max-width: 479px) 100vw, 479px\" \/><\/p>\n<p>There&#8217;s our new key&#8230;<\/p>\n<p><img data-attachment-id=\"617\" data-permalink=\"https:\/\/blog.escarra.org\/?attachment_id=617\" data-orig-file=\"https:\/\/blog.escarra.org\/wp-content\/uploads\/2016\/03\/2016-03-16-15_13_30.png\" data-orig-size=\"309,183\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"2016-03-16 15_13_30\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/blog.escarra.org\/wp-content\/uploads\/2016\/03\/2016-03-16-15_13_30-300x178.png\" data-large-file=\"https:\/\/blog.escarra.org\/wp-content\/uploads\/2016\/03\/2016-03-16-15_13_30.png\" decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-617 size-full\" src=\"http:\/\/blog.escarra.org\/wp-content\/uploads\/2016\/03\/2016-03-16-15_13_30.png\" alt=\"2016-03-16 15_13_30\" width=\"309\" height=\"183\" srcset=\"https:\/\/blog.escarra.org\/wp-content\/uploads\/2016\/03\/2016-03-16-15_13_30.png 309w, https:\/\/blog.escarra.org\/wp-content\/uploads\/2016\/03\/2016-03-16-15_13_30-300x178.png 300w\" sizes=\"(max-width: 309px) 100vw, 309px\" \/><\/p>\n<p>Then run the actual magic using <strong>Plink<\/strong>. Take the following command as an example:<\/p>\n<blockquote><p><strong>plink -ssh root@firewall.domain.com\u00a0-i C:\\ssh-priv.ppk &#8220;tcpdump -s 0 -U -n -w &#8211; not port 22 and not host 192.168.0.1&#8221; | &#8220;C:\\Program Files\\Wireshark\\Wireshark.exe&#8221; -k -i &#8211;<\/strong><\/p><\/blockquote>\n<p>Replace the SSH connection string for your actual firewall FQDN, the filename of ssh-priv.ppk for the location of your saved\u00a0<strong>Private Key<\/strong> generated with PuttyGen, and the\u00a0<strong>not host 192.168.0.1<\/strong> with the IP address of the firewall from the interface you&#8217;re reaching it.<\/p>\n<p>Wireshark will open and start showing packets. You can smile and jump now.<\/p>\n<p>You can modify the tcpdump parameters to better match the capture, for example, using\u00a0<strong>-i eth1<\/strong> to capture a specific interface, or filter specific traffic&#8230; once you&#8217;re done, just close Wireshark and CTRL+C the command.<\/p>\n<p>Note, if you&#8217;re doing this capture remotely over WAN or Internet, it will tunnel ALL packets over SSH, so it will take up a lot of bandwidth&#8230;<\/p>\n<p>Have fun!!!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Sophos UTM v9 comes with the tcpdump utility, which lets you run packet captures from the shell. This is great and all, but in order to look at those pcaps with Wireshark, you need to pipe to a file, copy the file, then run Wireshark against it. Annoying. All of it. What if we could [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"footnotes":"","_jetpack_memberships_contains_paid_content":false,"jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[1],"tags":[],"jetpack_publicize_connections":[],"aioseo_notices":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.escarra.org\/index.php?rest_route=\/wp\/v2\/posts\/614"}],"collection":[{"href":"https:\/\/blog.escarra.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.escarra.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.escarra.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.escarra.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=614"}],"version-history":[{"count":2,"href":"https:\/\/blog.escarra.org\/index.php?rest_route=\/wp\/v2\/posts\/614\/revisions"}],"predecessor-version":[{"id":619,"href":"https:\/\/blog.escarra.org\/index.php?rest_route=\/wp\/v2\/posts\/614\/revisions\/619"}],"wp:attachment":[{"href":"https:\/\/blog.escarra.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=614"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.escarra.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=614"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.escarra.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=614"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}