I'm currently working with a particular system where a set of machines sends a message (a picture to be more precise) to a server (mainly for storage purposes) when a certain triggering event occurs (real-time). These pictures are also stored locally in each equipment.
I decided to adventure myself in finding an alternative to this server, just for educational purpose. I made a Python script that accesses each machine every 15 minutes through SSH and with the use of SCP it downloads the latest pictures to my workstation.
I'm happy with this solution but I would like to also implement a way to get those pictures in a real-time fashion. So, I'm thinking about activating 'port mirroring' @ the switch where the server machine is connected to and make a Python script to decode the packets and download the pictures. Basically I would have my Workstation connected to a switch port that receives all the traffic coming to the server machine.
Does anyone have an idea of how to decode these packets to get the pictures? How can one decode messages coming from the switch port? Using the netstat command on CMD I might be able to get the port that identifies the server process - maybe that's a start, right?
Is it possible to use WireShark to see what's the payload format and from there try to reverse engineer the pictures?
Please let me know of any approach you might know and/or find interesting to try.
Thank you.
No, you cannot Man-in-the-Middle SSH-encrypted packets if all you have is a capture from a port-mirror. This is unless you are the NSA or nation-state actor and have found a way to circumvent the encryption.
Does anyone have an idea of how to decode these packets to get the pictures?
Even if you could decrypt SSH (see below), it is not possible to do this with Wireshark. Per the Wireshark docs on SSH:
Unlike the SSL dissector, no code has been written to decrypt encrypted SSH packets/payload.
Is it possible to use WireShark to see what's the payload format and from there try to reverse engineer the pictures?
No it's encrypted - you can't see anything. The most you will be able to see is SSH setup messages.
If you have access to client/server and set this up beforehand, there are solutions to extract the secret keys from memory. Keep in mind that you MUST have this set up beforehand on client or server as these session keys expire with the session (depending on the protocol).