That usecase is exactly what extcap was invented for. In your case, there could be a small python or c application on the hosts side, which handles the pipe management. Extcap is - in its essence - just a neat user interface for configuring such pipe scenarios. So in your case, you could provide your users with an extcap python, which can be locally installed and handles the situation of capturing from the remote interface.
Sadly, that will require code to be written, out-of-the-box solutions beyond sshdump/udpdump do not exist Am Mo., 31. Jan. 2022 um 21:56 Uhr schrieb Erik Hjelmvik < erik.hjelm...@gmail.com>: > Thanks for the feedback Roland! > > sshdump is indeed a neat way to capture packets from a remote machine. But > I'm afraid that extcap solution isn't quite what I'm looking for either. I > should have explained more in detail what I'm trying to achieve, so that > you folks would't have to guess. I primarily use PCAP-over-IP to > read decrypted TLS packets from PolarProxy, for example as in these two > examples: > * Ingesting packets from PolarProxy to Arkime: > https://netresec.com/?b=20C3247 > * Live extraction of TLS encrypted data in Windows: > https://netresec.com/?b=221d46b > > One option would be to implement an additional packet export feature to > PolarProxy, which transmits decrypted packets over ERSPAN or wrapping the > packets in UDP, so that they can be parsed with udpdump. However, I'm a bit > reluctant to adding new features unless there is a real need for them. What > I'd like to achieve in the end is for Wireshark/tshark to be able to parse > decrypted traffic from PolarProxy in near-real time. Any suggestions or > ideas that you might have on how we can make PolarProxy+Wireshark work > better together are welcome! > > PS: I actually did a live TLS decryption demo at the SEC-T conference in > 2019, which was recorded and posted here: > https://www.youtube.com/watch?v=lVS0DHjgpKc > > In this demo I simply pushed the decrypted PCAP stream from PolarProxy to > STDOUT and piped that into Wireshark with "-i -". This integration works, > but it's not how I prefer to read packets with Wireshark and it's not a > viable option if PolarProxy and Wireshark are running on different machines. > > /erik > > > Den mån 31 jan. 2022 kl 20:39 skrev Roland Knall <rkn...@gmail.com>: > >> If udpdump is nothing for you, and you are able to run a capture tool >> like tshark or tcpdump on the remote machine, you can take a look at >> sshdump. A sibling of udpdump, it executes the remote capture program via >> ssh, and then transports the data as-is through a ssh-connection. It can be >> seen as a simple capture device on the host pc. >> >> Roland >> >> Am Mo., 31. Jan. 2022 um 19:53 Uhr schrieb Erik Hjelmvik < >> erik.hjelm...@gmail.com>: >> >>> Hi Dario, >>> >>> Udpdump looks interesting, but I'm afraid it doesn't quite fulfill my >>> requirements. Wrapping captured packets inside of UDP packets or IP packets >>> (as in ERSPAN) to allow remote sniffing is an attractive solution, but it >>> comes with several drawbacks. Some of these drawbacks include difficulties >>> in handling captured packets that exceed the MTU between sniffer and >>> collector, how to preserve timestamps from the original capture source etc. >>> Transmitting packets over a TCP connection has a few drawbacks as well, but >>> it's a method that has served me very well over the years. >>> >>> As of now, I'd say that the primary drawback of using PCAP-over-IP >>> (which really should be called "PCAP-over-TCP") is that Wireshark/tshark >>> can't read this data natively without having to use netcat as a shim >>> between the TCP socket and Wireshar/tshark. I was hoping that there was an >>> extcap solution for this, but I'm guessing I might be out of luck there :( >>> >>> /erik >>> >>> Den mån 31 jan. 2022 kl 14:02 skrev Dario Lombardo <lom...@gmail.com>: >>> >>>> You can have a look at udpdump, which doesn't use TCP but UDP, but it >>>> may fit your purpose. >>>> >>>> On Mon, Jan 31, 2022 at 1:57 PM Erik Hjelmvik <erik.hjelm...@gmail.com> >>>> wrote: >>>> >>>>> Hello folks, >>>>> >>>>> Is there some way to read PCAP-over-IP in Wireshark? I.e. read a PCAP >>>>> stream over a TCP socket. >>>>> >>>>> Currently, the best solution to read PCAP-over-IP in Wireshark is by >>>>> using netcat to read the PCAP stream and forward it to Wireshark's STDIN >>>>> like this: >>>>> nc localhost 57012 | wireshark -k -i - >>>>> >>>>> But it would be much nicer if this data could be read directly without >>>>> having to use netcat. Maybe as an extcap interface? >>>>> >>>>> Best regards, >>>>> Erik >>>>> >>>>> ___________________________________________________________________________ >>>>> Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> >>>>> Archives: https://www.wireshark.org/lists/wireshark-dev >>>>> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev >>>>> mailto:wireshark-dev-requ...@wireshark.org >>>>> ?subject=unsubscribe >>>>> >>>> >>>> >>>> -- >>>> >>>> Naima is online. >>>> >>>> >>>> ___________________________________________________________________________ >>>> Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> >>>> Archives: https://www.wireshark.org/lists/wireshark-dev >>>> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev >>>> mailto:wireshark-dev-requ...@wireshark.org >>>> ?subject=unsubscribe >>>> >>> >>> ___________________________________________________________________________ >>> Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> >>> Archives: https://www.wireshark.org/lists/wireshark-dev >>> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev >>> mailto:wireshark-dev-requ...@wireshark.org >>> ?subject=unsubscribe >>> >> >> ___________________________________________________________________________ >> Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> >> Archives: https://www.wireshark.org/lists/wireshark-dev >> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev >> mailto:wireshark-dev-requ...@wireshark.org >> ?subject=unsubscribe >> > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> > Archives: https://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev > mailto:wireshark-dev-requ...@wireshark.org > ?subject=unsubscribe >
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
