Home / server / Questions / 463820
Accepted
Tiffany Walker
Asked: 2013-01-08 13:01:51 +0800 CST

using wireshark/tshark in command line to ignore ssh connections

  • 772

I'm trying to debug some by looking at the packets and I would like to avoid getting all the SSH traffic to the server. Is there a way to ignore?

I tried to do something like tshark -f "port !22" but it stopped listening after the command.

[root@vpn ~]# tshark -f "port !22"
tshark -f "port ls"
Running as user "root" and group "root". This could be dangerous.
Capturing on venet0
tshark: arptype 65535 not supported by libpcap - falling back to cooked socket.

tshark: Invalid capture filter: "port ls"!

That string isn't a valid capture filter (unknown port 'ls').
See the User's Guide for a description of the capture filter syntax.
0 packets captured
[root@vpn ~]#
linux

2 Answers

  1. Best Answer

    Both tshark and tcpdump use the pcap library, so the capture filters use pcap-filter syntax. The filter you want is, as @tristan says, "not port 22". You can enter this as a quoted string argument to the -f option, or as an unquoted argument to the command. The following commands are equivalent:

    # tshark -f "not port 22"
# tshark -- not port 22

    The reason tshark complained about your command above is that your shell (probably Bash) expanded "!22" to command number 22 in your command history, which in this case was "ls". The Bash documentation has more information on history expansion.

    • 8

  2. I don't have access to a tshark installation currently, but assuming that it's the same as the tcpdump: 

    sudo tcpdump not port 22

    so, potentially:

    tshark not port 22
    • 2