默认情况下,Windows系统装完EVE-NG-Win-Client-Pack-2.0.exe后,在EVE-NG Lab界面,右键就可以调出WIreshark对远程Node设备进行抓包。
原理为其调用putty
进行ssh
登录远程设备,使用tcpdump
抓包后管道实时传数据至本机的Wireshark
,批处理脚本在文件wireshark_wrapper.bat
中,其核心命令为:
"C:\Program Files\EVE-NG\plink.exe"
-ssh -batch -pw %PASSWORD% %USERNAME%@%HOST%
"tcpdump -U -i %INT% -s 0 -w -%FILTER%" | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -
但一般第一次使用时,会出现如下错误:
Connecting to "root"@192.168.124.25..."
The server's host key is not cached in the registry. You
have no guarantee that the server is the computer you
think it is.
The server's ssh-ed25519 key fingerprint is:
ssh-ed25519 xxx
Connection abandoned.
原因是ssh
首次登录Linux,需要同时在本地保存对端的host key
,同时putty
把ssh
的host key
保存在注册表中。
因此,其中一个方案是,在putty
软件显式地登录一次对端设备,并同意保存对端的host key
即可。