Setting up a reverse SSH tunnel using PuTTY. WWW.Smythies.com

These notes are merely because I keep forgetting how to set up two reverse Secure Shell (SSH) tunnels, which are then used to have two tcpdump sessions, one for each of eth0 and eth1, feeding data to two instances of wireshark running on a windows PC. (also requires a windows version of netcat, ncat, installed on the windows PC).

In this write up, eth0 is the internal interface, eth1 is the external interface, and the data will end up piped to a computer on the local network.

Background / Context: At first glance, the reader might wonder, why is this being done this way? My server is just that, a server / router with no GUI (Graphical User Interface). So if I want to have the realtime graphical wireshark type display of things, I need to pipe the data to another computer, in my case an MS Windows computer.
Obviously, this page could also be used as a "howto" to setup one pipe, which I often do now. When these pages were written, I was looking for NAT (Network Address Translation) issues and wanted to observe both sides of the server/router.
This web page gets a lot of hits from search sites (i.e. google), and if you came here via that route I hope these notes help.

Step 1: From the local computer on which wireshark will eventually be run, start a PuTTY Secure Shell session in the usual way. Ultimately 3 PuTTY sessions will be needed, they can all be started now.

Step 2: Create two reverse SSH tunnels within the PuTTY session. Position the mouse over the window title bar, and right click to open the PuTTY menu bar. Position the cursor over the "Change Settings" menu item and left click to open the menu:



Step 3: Under the connections category, under SSH, select tunnels to open the port forwarding dialog box. Add the desired two tunnels as shown below:



Note the only reason that I have used different port numbers on each end of each tunnel is to be certain of which end is which. You don't need to, and it might be easier to just make them the same.

Step 4: Start the windows PC side of monitoring the data stream. This will require a command line ncat command to connect to the PC end of the reverse runnel piped to a command line wireshark command:

ncat -l localhost 12346 | "C:\Program Files\Wireshark\wireshark.exe" -ki - 

Step 5: Start the linux box side, where tcpdump will feed binary data to the dedicated tunnel. Step 4 must be done first, otherwise the linux side will terminate as the buffer jams when the data has nowhere to go. Use an available PuTTY session to issue a tcpdump command that will pipe data to netcat, nc on linux, to stuff into the tunnel:

sudo tcpdump -i eth1 -w - | nc -w 1200 -v 127.0.0.1 12345

Note: add the -U option to the tcpdump command for "packet-buffered" output, rather than only for each buffer fill.

Step 6: Repeat steps 4 and 5 to create the second wireshark session. To prevent unlimited packet growth, port 22, the service shell port, must be excluded from the tcpdump monitoring:
Windows PC end:

ncat -l localhost 12356 | "C:\Program Files\Wireshark\wireshark.exe" -ki - 

Linux Server end:

sudo tcpdump -i eth0 not port 22 -w - | nc -w 1200 -v 127.0.0.1 12355

Step 7: Once the desired work is done, shut down the programs and pipes and tunnels. Close wireshark, saving the session if desired. If the ncat command line does not close by itself, then CTL-C it. CTRL-C in the PuTTY session running tcpdump. Close PuTTY or use the same tunnnel menu from step 2 to delete the tunnels.

Note: Be sure that ssh TCPforwarding is not disabled in your sshd_config file. It defaults to allowed, if the directive is missing. Check for a line with "AllowTcpForwarding no" and either comment it out or delete it or set it to "yes". If you are having troubles with nc saying "connection refused", this might be the problem.

References:
netcat web site (the nmap one)
wireshark web site