Small utility to perform tcpdump on remote machines.
Project description
## remotecap
A small utility to perform tcpdump packet captures remotely and stream the results back via SSH. It supports capturing from multiple machines at once using asyncio and can optionally use [uvloop](https://github.com/MagicStack/uvloop) for increased performance. Additionally, it displays the capture file sizes and growth rates so you know how much data you're getting.
### Installation
remotecap has three hard dependencies: `aiofiles`, `asyncssh`, and `py-term`. Optional dependencies are:
* [`bcrypt`](https://github.com/pyca/bcrypt/) enables SSH private keys (**strongly recommended**)
* [`libnacl`](https://github.com/saltstack/libnacl) to support more cryptographic options
* `libnacl` requires [`libsodium`](https://github.com/jedisct1/libsodium) which you should install via your distro's package manager
To install all hard and optional dependencies (excluding libsodium), you would run this command:
```bash
pip install 'remotecap[recommends]'
```
Once you have all the necessary dependencies, clone this repo and run `python remotecap.py`
### Usage
```text
usage: remotecap [-h] -w FILENAME [-f FILTER] [-k KEY] [-i INTERFACE]
[-p PASSWORD] [-s PACKET_LENGTH] [-u USER]
[-r REFRESH_INTERVAL]
machines [machines ...]
positional arguments:
machines Machines to perform the capture on. Required.
optional arguments:
-h, --help show this help message and exit
-w FILENAME, --filename FILENAME
File to write to if performing the capture on a single
machine. Folder to put captures in if capturing from
multiple machines. Required. (default: None)
-f FILTER, --filter FILTER
Filter to pass to tcpdump on the remote machine(s).
(default: not port 22)
-k KEY, --key KEY Location of SSH private keys to use. Can be specified
multiple times. (default:
[PosixPath('/home/evan/.ssh/id_rsa')])
-i INTERFACE, --interface INTERFACE
Interface to perform the capture with on the remote
machine(s). (default: any)
-p PASSWORD, --password PASSWORD
Password to use for SSH. SSH keys are recommended
instead. (default: None)
-s PACKET_LENGTH, --packet-length PACKET_LENGTH
Length of packets to capture. (default: 0)
-u USER, --user USER User to SSH as. The user must have sufficient rights.
(default: root)
-r REFRESH_INTERVAL, --refresh-interval REFRESH_INTERVAL
Interval to refresh file size and growth rates at.
(default: 5)
```
### Reasons this exists
1. I got really sick of sshing into a machine, running `tcpdump` with all of the flags needed, scping the cap file over, and then opening it in Wireshark. Packet traces are incredibly useful in many different situations, so this was bad.
2. Quite often, I had to capture from multiple machines at once. Take the steps above and repeat 2-10 times. I know there are things like tmux or various SSH tools to make this easier, but I wanted something simple that I could share.
3. I got tired of fixing shell scripts I wrote to attempt to resolve 1 and 2. Bash is a wonderful, terrible thing, and it didn't really meet my needs in this context.
4. I wanted semi-live viewing of my capture files. Being able to hit `c-R` to get new packets is nice.
5. I wanted to have a live display of how large my capture files were growing and the rate they were growing at.
6. I wanted more practice using `asyncio` and associated libraries. I've messed with Tornado in the past, but `asyncio` was very different and fun to learn.
### Various notes
* Currently, there are a couple tight loops that have `assert` statements in them. These can be pretty expensive and aren't really necessary for things to run. If you're running into issues, try running `python` with the `-O` flag, which will strip out asserts during compilation.
A small utility to perform tcpdump packet captures remotely and stream the results back via SSH. It supports capturing from multiple machines at once using asyncio and can optionally use [uvloop](https://github.com/MagicStack/uvloop) for increased performance. Additionally, it displays the capture file sizes and growth rates so you know how much data you're getting.
### Installation
remotecap has three hard dependencies: `aiofiles`, `asyncssh`, and `py-term`. Optional dependencies are:
* [`bcrypt`](https://github.com/pyca/bcrypt/) enables SSH private keys (**strongly recommended**)
* [`libnacl`](https://github.com/saltstack/libnacl) to support more cryptographic options
* `libnacl` requires [`libsodium`](https://github.com/jedisct1/libsodium) which you should install via your distro's package manager
To install all hard and optional dependencies (excluding libsodium), you would run this command:
```bash
pip install 'remotecap[recommends]'
```
Once you have all the necessary dependencies, clone this repo and run `python remotecap.py`
### Usage
```text
usage: remotecap [-h] -w FILENAME [-f FILTER] [-k KEY] [-i INTERFACE]
[-p PASSWORD] [-s PACKET_LENGTH] [-u USER]
[-r REFRESH_INTERVAL]
machines [machines ...]
positional arguments:
machines Machines to perform the capture on. Required.
optional arguments:
-h, --help show this help message and exit
-w FILENAME, --filename FILENAME
File to write to if performing the capture on a single
machine. Folder to put captures in if capturing from
multiple machines. Required. (default: None)
-f FILTER, --filter FILTER
Filter to pass to tcpdump on the remote machine(s).
(default: not port 22)
-k KEY, --key KEY Location of SSH private keys to use. Can be specified
multiple times. (default:
[PosixPath('/home/evan/.ssh/id_rsa')])
-i INTERFACE, --interface INTERFACE
Interface to perform the capture with on the remote
machine(s). (default: any)
-p PASSWORD, --password PASSWORD
Password to use for SSH. SSH keys are recommended
instead. (default: None)
-s PACKET_LENGTH, --packet-length PACKET_LENGTH
Length of packets to capture. (default: 0)
-u USER, --user USER User to SSH as. The user must have sufficient rights.
(default: root)
-r REFRESH_INTERVAL, --refresh-interval REFRESH_INTERVAL
Interval to refresh file size and growth rates at.
(default: 5)
```
### Reasons this exists
1. I got really sick of sshing into a machine, running `tcpdump` with all of the flags needed, scping the cap file over, and then opening it in Wireshark. Packet traces are incredibly useful in many different situations, so this was bad.
2. Quite often, I had to capture from multiple machines at once. Take the steps above and repeat 2-10 times. I know there are things like tmux or various SSH tools to make this easier, but I wanted something simple that I could share.
3. I got tired of fixing shell scripts I wrote to attempt to resolve 1 and 2. Bash is a wonderful, terrible thing, and it didn't really meet my needs in this context.
4. I wanted semi-live viewing of my capture files. Being able to hit `c-R` to get new packets is nice.
5. I wanted to have a live display of how large my capture files were growing and the rate they were growing at.
6. I wanted more practice using `asyncio` and associated libraries. I've messed with Tornado in the past, but `asyncio` was very different and fun to learn.
### Various notes
* Currently, there are a couple tight loops that have `assert` statements in them. These can be pretty expensive and aren't really necessary for things to run. If you're running into issues, try running `python` with the `-O` flag, which will strip out asserts during compilation.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
No source distribution files available for this release.See tutorial on generating distribution archives.
Built Distribution
remotecap-2.0.1-py3-none-any.whl
(19.6 kB
view hashes)
Close
Hashes for remotecap-2.0.1-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 67bf3a87daad6db4d9cfd19c59610ee455299c8f0de81b02c1717be902048618 |
|
| MD5 | d2353830436f281925b1cd0b0bc169c2 |
|
| BLAKE2b-256 | 9d17beb27ad739ce550119299a8fb928fd567cae1e38427839111b6473f83a48 |
