Live Wireshark Capture with ssh-key on Checkpoint Firewalls

Question

I am trying to run a live Wireshark capture on Checkpoint Firewalls that can be started via cmd using plink.exe and pageant running in the background. This should all be deployable via Checkpoint scripts which is run via a management console in Privilege mode. Script deployment is important as we have around 100+ devices.

I am not very familiar working with Linux and I bet there a many different ways to solve this issue.

The Goal is that the user is only able to run the tcpdump command via ssh that is then piped into wireshark.

I found this cmd command online:

plink.exe -batch -l wireshark *IP* "timeout 300 tcpdump -s0 -ni Mgmt -w - " | "C:\Program Files\wireshark\wireshark.exe" -k -i -

And I was able to make this work for the User, but the next goal was the limitation.

I found out that you can use the authorized_keys file to limit to specific commands, but now I need to somehow be able to have a variable going for the interface, otherwise it would make no sense to have this command. It was also important that this command is not run on multiple interfaces or without the timeout as this could create Performance issues.

So far I have this:

# Adding User + group
useradd -u *some ID* wireshark 
usermod -g wireshark pcap

# Creating .ssh folder + access file with public key
cd /home/wireshark
mkdir .ssh
cd .ssh
echo command="timeout 300 tcpdump -s0 -ni Mgmt -w -" ssh-rsa *key* /home/wireshark/.ssh/authorized_keys
chmod 600 authorized_keys
chown wireshark:pcap authorized_keys
cd ..
chmod 755 .ssh
chown wireshark:wireshark .ssh
cd /home/
chown wireshark:pcap wireshark 

# Setting permissions for tcpdump via pcap group 
chgrp pcap /usr/sbin/tcpdump
chmod 750 /usr/sbin/tcpdump
setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

The Script has been tested and so far everything works as expected with deployment.

I am not sure if it is possible to solve this way. The best solution would be If you could any parameters you want after "timeout 300 tcpdump"... That would also allow our user to make use of the -host parameter.

I have tried things like

command=("timeout 300 tcpdump -s0 -ni" + $A + "-w -")...

But that is not working

Answer 1

If I understand you correctly the goal is to invoke a tcpdump on the remote end, using parameters to said command provided locally?

That can be achieved using the variable SSH_ORIGINAL_COMMAND.

Let's say you have a script /usr/local/sbin/dumper as the command in authorized_keys on the far end that looks something like this:

#!/bin/bash
if [[ -n $SSH_ORIGINAL_COMMAND ]]
then
    timeout 300 tcpdump -s0 -ni "$SSH_ORIGINAL_COMMAND" -w - 
else
    echo "No params specified!"
fi

You'd obviously need to sanitise/safety-check the content of said variable, this is a minimum viable approach.