2 * ciscodump is extcap tool used to capture data using a ssh on a remote cisco router
4 * Copyright 2015, Dario Lombardo
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * SPDX-License-Identifier: GPL-2.0-or-later
15 #include <extcap/extcap-base.h>
16 #include <wsutil/interface.h>
17 #include <wsutil/strtoi.h>
18 #include <wsutil/filesystem.h>
19 #include <extcap/ssh-base.h>
20 #include <writecap/pcapio.h>
28 #define CISCODUMP_VERSION_MAJOR "1"
29 #define CISCODUMP_VERSION_MINOR "0"
30 #define CISCODUMP_VERSION_RELEASE "0"
32 /* The read timeout in msec */
33 #define CISCODUMP_READ_TIMEOUT 3000
35 #define CISCODUMP_EXTCAP_INTERFACE "ciscodump"
36 #define SSH_READ_BLOCK_SIZE 1024
37 #define SSH_READ_TIMEOUT 10000
39 #define WIRESHARK_CAPTURE_POINT "WIRESHARK_CAPTURE_POINT"
40 #define WIRESHARK_CAPTURE_BUFFER "WIRESHARK_CAPTURE_BUFFER"
41 #define WIRESHARK_CAPTURE_ACCESSLIST "WIRESHARK_CAPTURE_ACCESSLIST"
43 #define PCAP_SNAPLEN 0xffff
45 #define PACKET_MAX_SIZE 65535
47 #define MINIMUM_IOS_MAJOR 12
48 #define MINIMUM_IOS_MINOR 4
50 /* Status of the parser */
52 CISCODUMP_PARSER_STARTING,
53 CISCODUMP_PARSER_IN_PACKET,
54 CISCODUMP_PARSER_IN_HEADER,
55 CISCODUMP_PARSER_END_PACKET,
56 CISCODUMP_PARSER_ERROR
60 EXTCAP_BASE_OPTIONS_ENUM,
70 OPT_SSHKEY_PASSPHRASE,
75 static struct option longopts[] = {
77 { "help", no_argument, NULL, OPT_HELP},
78 { "version", no_argument, NULL, OPT_VERSION},
83 static char* interfaces_list_to_filter(GSList* interfaces, unsigned int remote_port)
85 GString* filter = g_string_new(NULL);
89 g_string_append_printf(filter, "deny tcp host %s any eq %u, deny tcp any eq %u host %s",
90 (char*)interfaces->data, remote_port, remote_port, (char*)interfaces->data);
91 cur = g_slist_next(interfaces);
93 g_string_append_printf(filter, ", deny tcp host %s any eq %u, deny tcp any eq %u host %s",
94 (char*)cur->data, remote_port, remote_port, (char*)cur->data);
95 cur = g_slist_next(cur);
97 g_string_append_printf(filter, ", permit ip any any");
100 return g_string_free(filter, FALSE);
103 static char* local_interfaces_to_filter(const unsigned int remote_port)
105 GSList* interfaces = local_interfaces_to_list();
106 char* filter = interfaces_list_to_filter(interfaces, remote_port);
107 g_slist_free_full(interfaces, g_free);
111 /* Read bytes from the channel. If bytes == -1, read all data (until timeout). If outbuf != NULL, data are stored there */
112 static int read_output_bytes(ssh_channel channel, int bytes, char* outbuf)
118 total = (bytes > 0 ? bytes : G_MAXINT);
121 while(ssh_channel_read_timeout(channel, &chr, 1, 0, 2000) > 0 && bytes_read < total) {
126 outbuf[bytes_read] = chr;
132 static void ciscodump_cleanup(ssh_session sshs, ssh_channel channel, const char* iface, const char* cfilter)
135 if (read_output_bytes(channel, -1, NULL) == EXIT_SUCCESS) {
136 ssh_channel_printf(channel, "monitor capture point stop %s\n", WIRESHARK_CAPTURE_POINT);
137 ssh_channel_printf(channel, "no monitor capture point ip cef %s %s\n", WIRESHARK_CAPTURE_POINT, iface);
138 ssh_channel_printf(channel, "no monitor capture buffer %s\n", WIRESHARK_CAPTURE_BUFFER);
140 ssh_channel_printf(channel, "configure terminal\n");
141 ssh_channel_printf(channel, "no ip access-list ex %s\n", WIRESHARK_CAPTURE_ACCESSLIST);
143 read_output_bytes(channel, -1, NULL);
146 ssh_cleanup(&sshs, &channel);
149 static int wait_until_data(ssh_channel channel, const guint32 count)
151 long unsigned got = 0;
152 char output[SSH_READ_BLOCK_SIZE];
156 while (got < count && rounds--) {
157 if (ssh_channel_printf(channel, "show monitor capture buffer %s parameters\n", WIRESHARK_CAPTURE_BUFFER) == EXIT_FAILURE) {
158 g_warning("Can't write to channel");
161 if (read_output_bytes(channel, SSH_READ_BLOCK_SIZE, output) == EXIT_FAILURE)
164 output_ptr = g_strstr_len(output, strlen(output), "Packets");
166 g_warning("Error in sscanf()");
169 if (sscanf(output_ptr, "Packets : %lu", &got) != 1)
173 g_debug("All packets got: dumping");
177 static int parse_line(char* packet, unsigned* offset, char* line, int status)
184 if (strlen(line) <= 1) {
185 if (status == CISCODUMP_PARSER_IN_PACKET)
186 return CISCODUMP_PARSER_END_PACKET;
191 /* we got the packet header */
192 /* The packet header is a line like: */
193 /* 16:09:37.171 ITA Mar 18 2016 : IPv4 LES CEF : Gi0/1 None */
194 if (g_regex_match_simple("^\\d{2}:\\d{2}:\\d{2}.\\d+ .*", line, G_REGEX_CASELESS, G_REGEX_MATCH_ANCHORED)) {
195 return CISCODUMP_PARSER_IN_HEADER;
198 /* we got a line of the packet */
199 /* A line looks like */
200 /* <address>: <1st group> <2nd group> <3rd group> <4th group> <ascii representation> */
201 /* ABCDEF01: 01020304 05060708 090A0B0C 0D0E0F10 ................ */
202 /* Note that any of the 4 groups are optional and that a group can be 1 to 4 bytes long */
203 parts = g_regex_split_simple(
204 "^[\\dA-F]{8,8}:\\s+([\\dA-F]{2,8})\\s+([\\dA-F]{2,8}){0,1}\\s+([\\dA-F]{2,8}){0,1}\\s+([\\dA-F]{2,8}){0,1}.*",
205 line, G_REGEX_CASELESS, G_REGEX_MATCH_ANCHORED);
209 if (strlen(*part) > 1) {
210 value = (guint32)strtoul(*part, NULL, 16);
211 value = ntohl(value);
212 size = strlen(*part) / 2;
213 memcpy(packet + *offset, &value, size);
214 *offset += (guint32)size;
219 return CISCODUMP_PARSER_IN_PACKET;
222 static void ssh_loop_read(ssh_channel channel, FILE* fp, const guint32 count)
224 char line[SSH_READ_BLOCK_SIZE];
227 unsigned packet_size = 0;
229 time_t curtime = time(NULL);
231 guint64 bytes_written;
232 long unsigned packets = 0;
233 int status = CISCODUMP_PARSER_STARTING;
235 /* This is big enough to put on the heap */
236 packet = (char*)g_malloc(PACKET_MAX_SIZE);
239 if (ssh_channel_read_timeout(channel, &chr, 1, FALSE, SSH_READ_TIMEOUT) == SSH_ERROR) {
240 g_warning("Error reading from channel");
249 /* Parse the current line */
251 status = parse_line(packet, &packet_size, line, status);
253 if (status == CISCODUMP_PARSER_END_PACKET) {
254 /* dump the packet to the pcap file */
255 if (!libpcap_write_packet(fp, curtime, (guint32)(curtime / 1000), packet_size,
256 packet_size, packet, &bytes_written, &err)) {
257 g_debug("Error in libpcap_write_packet(): %s", g_strerror(err));
260 g_debug("Dumped packet %lu size: %u", packets, packet_size);
262 status = CISCODUMP_PARSER_STARTING;
268 } while(packets < count);
273 static int check_ios_version(ssh_channel channel)
275 gchar* cmdline = "show version | include Cisco IOS\n";
281 memset(version, 0x0, 255);
283 if (ssh_channel_write(channel, cmdline, (guint32)strlen(cmdline)) == SSH_ERROR)
285 if (read_output_bytes(channel, (int)strlen(cmdline), NULL) == EXIT_FAILURE)
287 if (read_output_bytes(channel, 255, version) == EXIT_FAILURE)
290 cur = g_strstr_len(version, strlen(version), "Version");
292 cur += strlen("Version ");
293 if (sscanf(cur, "%u.%u", &major, &minor) != 2)
296 if ((major > MINIMUM_IOS_MAJOR) || (major == MINIMUM_IOS_MAJOR && minor >= MINIMUM_IOS_MINOR)) {
297 g_debug("Current IOS Version: %u.%u", major, minor);
298 if (read_output_bytes(channel, -1, NULL) == EXIT_FAILURE)
304 g_warning("Invalid IOS version. Minimum version: 12.4, current: %u.%u", major, minor);
308 static ssh_channel run_capture(ssh_session sshs, const char* iface, const char* cfilter, const guint32 count)
310 char* cmdline = NULL;
314 channel = ssh_channel_new(sshs);
318 if (ssh_channel_open_session(channel) != SSH_OK)
321 if (ssh_channel_request_pty(channel) != SSH_OK)
324 if (ssh_channel_change_pty_size(channel, 80, 24) != SSH_OK)
327 if (ssh_channel_request_shell(channel) != SSH_OK)
330 if (!check_ios_version(channel))
333 if (ssh_channel_printf(channel, "terminal length 0\n") == EXIT_FAILURE)
336 if (ssh_channel_printf(channel, "monitor capture buffer %s max-size 9500\n", WIRESHARK_CAPTURE_BUFFER) == EXIT_FAILURE)
339 if (ssh_channel_printf(channel, "monitor capture buffer %s limit packet-count %u\n", WIRESHARK_CAPTURE_BUFFER, count) == EXIT_FAILURE)
343 gchar* multiline_filter;
346 if (ssh_channel_printf(channel, "configure terminal\n") == EXIT_FAILURE)
349 if (ssh_channel_printf(channel, "ip access-list ex %s\n", WIRESHARK_CAPTURE_ACCESSLIST) == EXIT_FAILURE)
352 multiline_filter = g_strdup(cfilter);
353 chr = multiline_filter;
354 while((chr = g_strstr_len(chr, strlen(chr), ",")) != NULL) {
356 g_debug("Splitting filter into multiline");
358 ret = ssh_channel_write(channel, multiline_filter, (uint32_t)strlen(multiline_filter));
359 g_free(multiline_filter);
360 if (ret == SSH_ERROR)
363 if (ssh_channel_printf(channel, "\nend\n") == EXIT_FAILURE)
366 if (ssh_channel_printf(channel, "monitor capture buffer %s filter access-list %s\n",
367 WIRESHARK_CAPTURE_BUFFER, WIRESHARK_CAPTURE_ACCESSLIST) == EXIT_FAILURE)
371 if (ssh_channel_printf(channel, "monitor capture point ip cef %s %s both\n", WIRESHARK_CAPTURE_POINT,
372 iface) == EXIT_FAILURE)
375 if (ssh_channel_printf(channel, "monitor capture point associate %s %s \n", WIRESHARK_CAPTURE_POINT,
376 WIRESHARK_CAPTURE_BUFFER) == EXIT_FAILURE)
379 if (ssh_channel_printf(channel, "monitor capture point start %s\n", WIRESHARK_CAPTURE_POINT) == EXIT_FAILURE)
382 if (read_output_bytes(channel, -1, NULL) == EXIT_FAILURE)
385 if (wait_until_data(channel, count) == EXIT_FAILURE)
388 if (read_output_bytes(channel, -1, NULL) == EXIT_FAILURE)
391 cmdline = g_strdup_printf("show monitor capture buffer %s dump\n", WIRESHARK_CAPTURE_BUFFER);
392 if (ssh_channel_printf(channel, cmdline) == EXIT_FAILURE)
395 if (read_output_bytes(channel, (int)strlen(cmdline), NULL) == EXIT_FAILURE)
402 g_warning("Error running ssh remote command");
403 read_output_bytes(channel, -1, NULL);
405 ssh_channel_close(channel);
406 ssh_channel_free(channel);
410 static int ssh_open_remote_connection(const ssh_params_t* ssh_params, const char* iface, const char* cfilter,
411 const guint32 count, const char* fifo)
416 guint64 bytes_written = 0;
418 int ret = EXIT_FAILURE;
419 char* err_info = NULL;
421 if (g_strcmp0(fifo, "-")) {
422 /* Open or create the output file */
423 fp = fopen(fifo, "wb");
425 g_warning("Error creating output file: %s", g_strerror(errno));
430 sshs = create_ssh_connection(ssh_params, &err_info);
432 g_warning("Error creating connection: %s", err_info);
436 if (!libpcap_write_file_header(fp, 1, PCAP_SNAPLEN, FALSE, &bytes_written, &err)) {
437 g_warning("Can't write pcap file header");
441 channel = run_capture(sshs, iface, cfilter, count);
447 /* read from channel and write into fp */
448 ssh_loop_read(channel, fp, count);
450 /* clean up and exit */
451 ciscodump_cleanup(sshs, channel, iface, cfilter);
461 static int list_config(char *interface, unsigned int remote_port)
467 g_warning("No interface specified.");
471 if (g_strcmp0(interface, CISCODUMP_EXTCAP_INTERFACE)) {
472 g_warning("interface must be %s", CISCODUMP_EXTCAP_INTERFACE);
476 ipfilter = local_interfaces_to_filter(remote_port);
478 printf("arg {number=%u}{call=--remote-host}{display=Remote SSH server address}"
479 "{type=string}{tooltip=The remote SSH host. It can be both "
480 "an IP address or a hostname}{required=true}{group=Server}\n", inc++);
481 printf("arg {number=%u}{call=--remote-port}{display=Remote SSH server port}"
482 "{type=unsigned}{default=22}{tooltip=The remote SSH host port (1-65535)}"
483 "{range=1,65535}{group=Server}\n", inc++);
484 printf("arg {number=%u}{call=--remote-username}{display=Remote SSH server username}"
485 "{type=string}{default=%s}{tooltip=The remote SSH username. If not provided, "
486 "the current user will be used}{group=Authentication}\n", inc++, g_get_user_name());
487 printf("arg {number=%u}{call=--remote-password}{display=Remote SSH server password}"
488 "{type=password}{tooltip=The SSH password, used when other methods (SSH agent "
489 "or key files) are unavailable.}{group=Authentication}\n", inc++);
490 printf("arg {number=%u}{call=--sshkey}{display=Path to SSH private key}"
491 "{type=fileselect}{tooltip=The path on the local filesystem of the private ssh key}"
492 "{group=Authentication}\n", inc++);
493 printf("arg {number=%u}{call=--proxycommand}{display=ProxyCommand}"
494 "{type=string}{tooltip=The command to use as proxy for the SSH connection}"
495 "{group=Authentication}\n", inc++);
496 printf("arg {number=%u}{call--sshkey-passphrase}{display=SSH key passphrase}"
497 "{type=password}{tooltip=Passphrase to unlock the SSH private key}"
498 "{group=Authentication\n", inc++);
499 printf("arg {number=%u}{call=--remote-interface}{display=Remote interface}"
500 "{type=string}{required=true}{tooltip=The remote network interface used for capture"
501 "}{group=Capture}\n", inc++);
502 printf("arg {number=%u}{call=--remote-filter}{display=Remote capture filter}"
503 "{type=string}{tooltip=The remote capture filter}", inc++);
505 printf("{default=%s}", ipfilter);
506 printf("{group=Capture}\n");
507 printf("arg {number=%u}{call=--remote-count}{display=Packets to capture}"
508 "{type=unsigned}{required=true}{tooltip=The number of remote packets to capture.}"
509 "{group=Capture}\n", inc++);
511 extcap_config_debug(&inc);
518 int main(int argc, char *argv[])
522 ssh_params_t* ssh_params = ssh_params_new();
523 char* remote_interface = NULL;
524 char* remote_filter = NULL;
526 int ret = EXIT_FAILURE;
527 extcap_parameters * extcap_conf = g_new0(extcap_parameters, 1);
529 char* help_header = NULL;
535 help_url = data_file_url("ciscodump.html");
536 extcap_base_set_util_info(extcap_conf, argv[0], CISCODUMP_VERSION_MAJOR, CISCODUMP_VERSION_MINOR,
537 CISCODUMP_VERSION_RELEASE, help_url);
539 extcap_base_register_interface(extcap_conf, CISCODUMP_EXTCAP_INTERFACE, "Cisco remote capture", 147, "Remote capture dependent DLT");
541 help_header = g_strdup_printf(
542 " %s --extcap-interfaces\n"
543 " %s --extcap-interface=%s --extcap-dlts\n"
544 " %s --extcap-interface=%s --extcap-config\n"
545 " %s --extcap-interface=%s --remote-host myhost --remote-port 22222 "
546 "--remote-username myuser --remote-interface gigabit0/0 "
547 "--fifo=FILENAME --capture\n", argv[0], argv[0], CISCODUMP_EXTCAP_INTERFACE, argv[0],
548 CISCODUMP_EXTCAP_INTERFACE, argv[0], CISCODUMP_EXTCAP_INTERFACE);
549 extcap_help_add_header(extcap_conf, help_header);
552 extcap_help_add_option(extcap_conf, "--help", "print this help");
553 extcap_help_add_option(extcap_conf, "--version", "print the version");
554 extcap_help_add_option(extcap_conf, "--remote-host <host>", "the remote SSH host");
555 extcap_help_add_option(extcap_conf, "--remote-port <port>", "the remote SSH port (default: 22)");
556 extcap_help_add_option(extcap_conf, "--remote-username <username>", "the remote SSH username (default: the current user)");
557 extcap_help_add_option(extcap_conf, "--remote-password <password>", "the remote SSH password. "
558 "If not specified, ssh-agent and ssh-key are used");
559 extcap_help_add_option(extcap_conf, "--sshkey <public key path>", "the path of the ssh key");
560 extcap_help_add_option(extcap_conf, "--sshkey-passphrase <public key passphrase>", "the passphrase to unlock public ssh");
561 extcap_help_add_option(extcap_conf, "--proxycommand <proxy command>", "the command to use as proxy the the ssh connection");
562 extcap_help_add_option(extcap_conf, "--remote-interface <iface>", "the remote capture interface");
563 extcap_help_add_option(extcap_conf, "--remote-filter <filter>", "a filter for remote capture "
564 "(default: don't capture data for lal interfaces IPs)");
570 extcap_help_print(extcap_conf);
574 while ((result = getopt_long(argc, argv, ":", longopts, &option_idx)) != -1) {
579 extcap_help_print(extcap_conf);
584 printf("%s\n", extcap_conf->version);
587 case OPT_REMOTE_HOST:
588 g_free(ssh_params->host);
589 ssh_params->host = g_strdup(optarg);
592 case OPT_REMOTE_PORT:
593 if (!ws_strtou16(optarg, NULL, &ssh_params->port) || ssh_params->port == 0) {
594 g_warning("Invalid port: %s", optarg);
599 case OPT_REMOTE_USERNAME:
600 g_free(ssh_params->username);
601 ssh_params->username = g_strdup(optarg);
604 case OPT_REMOTE_PASSWORD:
605 g_free(ssh_params->password);
606 ssh_params->password = g_strdup(optarg);
607 memset(optarg, 'X', strlen(optarg));
611 g_free(ssh_params->sshkey_path);
612 ssh_params->sshkey_path = g_strdup(optarg);
615 case OPT_SSHKEY_PASSPHRASE:
616 g_free(ssh_params->sshkey_passphrase);
617 ssh_params->sshkey_passphrase = g_strdup(optarg);
618 memset(optarg, 'X', strlen(optarg));
621 case OPT_PROXYCOMMAND:
622 g_free(ssh_params->proxycommand);
623 ssh_params->proxycommand = g_strdup(optarg);
626 case OPT_REMOTE_INTERFACE:
627 g_free(remote_interface);
628 remote_interface = g_strdup(optarg);
631 case OPT_REMOTE_FILTER:
632 g_free(remote_filter);
633 remote_filter = g_strdup(optarg);
636 case OPT_REMOTE_COUNT:
637 if (!ws_strtou32(optarg, NULL, &count)) {
638 g_warning("Invalid packet count: %s", optarg);
644 /* missing option argument */
645 g_warning("Option '%s' requires an argument", argv[optind - 1]);
649 if (!extcap_base_parse_options(extcap_conf, result - EXTCAP_OPT_LIST_INTERFACES, optarg)) {
650 g_warning("Invalid option: %s", argv[optind - 1]);
656 extcap_cmdline_debug(argv, argc);
658 if (optind != argc) {
659 g_warning("Unexpected extra option: %s", argv[optind]);
663 if (extcap_base_handle_interface(extcap_conf)) {
668 if (extcap_conf->show_config) {
669 ret = list_config(extcap_conf->interface, ssh_params->port);
674 result = WSAStartup(MAKEWORD(1,1), &wsaData);
676 g_warning("ERROR: WSAStartup failed with error: %d", result);
681 if (extcap_conf->capture) {
682 if (!ssh_params->host) {
683 g_warning("Missing parameter: --remote-host");
687 if (!remote_interface) {
688 g_warning("ERROR: No interface specified (--remote-interface)");
692 g_warning("ERROR: count of packets must be specified (--remote-count)");
695 ssh_params->debug = extcap_conf->debug;
696 ret = ssh_open_remote_connection(ssh_params, remote_interface,
697 remote_filter, count, extcap_conf->fifo);
699 g_debug("You should not come here... maybe some parameter missing?");
704 ssh_params_free(ssh_params);
705 g_free(remote_interface);
706 g_free(remote_filter);
707 extcap_base_cleanup(&extcap_conf);
712 * Editor modelines - https://www.wireshark.org/tools/modelines.html
717 * indent-tabs-mode: t
720 * vi: set shiftwidth=4 tabstop=4 noexpandtab:
721 * :indentSize=4:tabSize=4:noTabs=false: