如何跨多个SSH跃点远程捕获流量？

Question

我想在我的网络上调试另一台机器，但必须通过一个或多个SSH隧道才能到达那里。

目前：

    # SSH into one machine
    ssh -p 22 me@some_ip -i ~/.ssh/00_id_rsa

    # From there, SSH into the target machine
    # Note that this private key lives on this machine
    ssh -p 1234 root@another_ip -i ~/.ssh/01_id_rsa

    # Capture debug traffic on the target machine
    tcpdump -n -i eth0 -vvv -s 0 -XX -w tcpdump.pcap

然而，连续复制.pcap是一件痛苦的事。有没有办法将pcap直接写入我的本地机器，我在那里安装了wireshark？

Answer 1

您应该使用ProxyCommand链接ssh主机并将tcpdump的输出直接输入wireshark。为此，您应该创建以下ssh配置文件：

Host some_ip
  IdentityFile ~/.ssh/00_id_rsa

Host another_ip
  Port 1234
  ProxyCommand ssh -o 'ForwardAgent yes' some_ip 'ssh-add ~/.ssh/01_id_rsa && nc %h %p'

我用完整路径测试了这个，所以要小心〜

要查看实时捕捉，您应该使用类似

的内容

ssh another_ip "tcpdump -s0 -U -n -w - -i eth0 'not port 1234'" | wireshark -k -i -

如果您只想转储pcap localy，可以将stdout重定向到您选择的文件名。

ssh another_ip "tcpdump -n -i eth0 -vvv -s 0 -XX -w -" > tcpdump.pcap

另见：

• https://serverfault.com/questions/337274/ssh-from-a-through-b-to-c-using-private-key-on-b
• https://serverfault.com/questions/503162/locally-examine-network-traffic-of-remote-machine/503380#503380
• How can I have tcpdump write to file and standard output the appropriate data?