Archive for July, 2017

u2wcap: circular trace, stop when event detected

July 5th, 2017 Comments off

This script is part of a series of scripts that perform packet capture between two endpoints.  In this case, the endpoints are a Unix machine and a windows machine. This script was tested with the “source endpoint” as a Redhat Linux and the “target endpoint” a Windows 2016 Server machine.   The circular traces are started on each machine and stopped whenever an event is detected on the Unix side.  In this case the event is to monitor a file for a particular string.

Requirements: Wireshark installed on Windows.  OpenSSH installed on windows.

#Author: Garland R. Joseph,
# Date: May 2017
# This script is offered as is. It is designed to
# run a circular trace using tcpdump on UNIX system
# and wireshark on Windows systems.
# You will either have to manually enter the password
# for the root account on the remote system or setup
# ssh keys from promptless access.
# The traces will stop once a key string SEARCH_STRING is
# found in LOG_FILE.
# Note: Some UNIX systems like LINUX Fedora will
# result in permsission denied when using
# tcpdump -W and -C options and writing to / or /root.
# Modify the REM_INTERFACE parameter below to fix the interface number
# on the windows system. Do a tshark -D to determine the interface number.
# -----

# Defaults

USAGE="u2wcap [-v] [ -c capture_file ] [ -w secs ] -h remote_host -l log_file -s search_string"
SLEEP_TIME="5" #seconds

# Options for remote tracing

FILESIZE=1000 #units or kB, so this means 1 Meg
#FILESIZE=500000 #512 Meg
#$FILESIZE=1000000 #units or kB, so this means 1 Gig
FILECOUNT="2" #creates a count of FILECOUNT of trace files at most of size FILESIZE

# Process command line arguments

while getopts ":vc:w:l:s:h:" opts
case ${opts} in
v) DEBUG=true ;;
":") echo "Please specify a value for ${OPTARG}" ; exit ;;
\?) echo "${OPTARG} is not a valid switch" ; echo "${USAGE}" ; exit;;

# Insure required values have been specified, check for existence of
# log file, getops should handle case of no values for -l and -s.
# A sanity check in the event getopts varies per unix

if [[ -z ${SEARCH_STRING} || -z ${LOG_FILE} || -z ${REMOTE_HOST} ]]
echo ${USAGE}
if ! [[ -f ${LOG_FILE} ]]
echo "File ${LOG_FILE} does not exist"

# Start trace on remote host
$(ssh ${REM_USER}@${REMOTE_HOST} ${TRACECMD})& 2>&1 > /dev/null

# Start trace on this host

${TCPDUMPCMD} 2>/dev/null 1>/dev/null &
${DEBUG} && echo "${0}-I-LOCAL_PID, local pid is ${LOCAL_PID}."

# Monitor log file

old_count=`grep -c ${SEARCH_STRING} ${LOG_FILE}`
(( new_count=old_count ))
(( i = 0 ))
while (( old_count == new_count ))
(( i++ ))
${DEBUG} && echo "${0}-F-SLEEP, sleeping ${SLEEP_TIME}, iternation ${i}."
sleep ${SLEEP_TIME}
new_count=`grep -c ${SEARCH_STRING} ${LOG_FILE}`

# At this point, search string has been found, stop traces

kill ${LOCAL_PID}
ssh ${REM_USER}@${REMOTE_HOST} taskkill /f /fi \"imagename eq tshark*\"

# Reminders

echo "Consult files ${REM_CAP_FILE} on remote host ${REMOTE_HOST} and ${LOC_CAP_FILE} on local host."



Categories: Unix Tags:

OpenSSH on Windows and Trouble-Shooting

July 5th, 2017 Comments off

I recently installed OpenSSH on Windows from the following site:  WinSCP.NET.  I  previously used the Cygwin version of SSH (server) but it’s not clear Cygwin maintains SSH any longer.

The instructions  at WinSCP.NET are spot on; however, I did have a problem using my public key.    In order to trouble-shoot ssh issues you have to stop the SSHD server from running and run the server in debug mode (bring up the Services dialog and stop the sshd server from running by right clicking…leave the ssh-agent service running).


Run SSHD in Debug Mode

Go to the openssh directory.  I have installed OpenSSH in “c:\program files\openssh”.  Note: the startup sshd_config file is also in this directory.   To run ssh server in debug mode, do ./sshd -ddd.  Multiple d switches increase the level of debug information (the max is 3).


Run SSH client in verbose mode

I can use verbose mode from the client side to see additional debug information.   You can run ssh -vvv (multiple switches increase the level of verbosity, the max is 3).


Here’s a common issue.  You want to use SSH keys to access your account and you’ve created your keys and you’ve transferred your public key to your remote account and created an authorized_keys file in the .ssh directory.  You’ve also checked your file permissions and you’re still getting prompted for a password.  I am using my account Garland to ssh into the same windows machine (using loop back address into account wireshark.  Here’s a transcript from the SSHD server process running in debug mode:


The yellow text above shows that the authorized_key file is being processed, but you’re still getting the following:

A close look at the transcript from the debug file shows what looks like a key, but it also shows key not found.   Let’s take a look at the .ssh/authorized_keys file in the wireshark user directory

We should be able to read the key value.  Let’s take a look at the file that was created for user Garland (note: the entire key isn’t shown, but at least we can read this one).

So let’s recreate the authorized_keys file and check to insure it looks correct.

Here is an example of a successful interactive login from the sshd debug log.  The key is successfully processed and an interactive session is shown to have started at the end of the log.

The next screen shows and ssh from the client side; however, this time we just do a directory (non-interactive). Note: my local user account is Garland and the target account is user wireshark.  No password was required.

This is just a trivial example of resolving ssh issues.  The process demonstrated here-in is valid for more complex ssh issues.  You can also run the sshd server in debug to insure that your config file for sshd is configured correctly.