if you want to do live capturing and decode using ethereal/tethereal then you'd simply do:
ssh [EMAIL PROTECTED] "sudo tcpdump -ni eth0 -s 0 -w -" | tethereal -nli -
That works for Tethereal. For Ethereal, it's a bit more complicated - on UN*X, you'd create a named pipe file with "mknod p /tmp/temporarypipe", use "/tmp/temporarypipe" as the capture device in Ethereal, and then do
ssh [EMAIL PROTECTED] "sudo tcpdump -ni eth0 -s 0 -w -' >/tmp/temporarypipe
Both of those are a bit ugly, though, and named pipes don't exist, as far as I know, in the file system namespace on Windows, so the Ethereal trick won't work on Windows.
Some scheme wherein you could capture on "ssh://[EMAIL PROTECTED]/eth0" (using a syntax along the lines of what WinPcap currently uses for the remote capture protocol they're developing), or something such as that, might be a bit cleaner. However, there'd be a bit of a headache trying to get the remote account's password, or the password to allow access to the user's local key information. Redirecting the standard error of the ssh command, as well as its standard input and output, might handle that. If not, it might be doable by using libssh:
http://www.0xbadc0de.be/?part=libssh
(although they only mention the SSH2 protocol - are there servers that do only SSH1 and, if so, would that be an issue?).
You could also run
ssh [EMAIL PROTECTED] "sudo tcpdump -D"
to enumerate the interfaces on the remote machine *if* that machine has a new enough version of tcpdump.
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
