using wireshark/tshark in command line to ignore ssh connections
Solution 1
Both tshark and tcpdump use the pcap
library, so the capture filters use pcap-filter syntax. The filter you want is, as @tristan says, "not port 22"
. You can enter this as a quoted string argument to the -f
option, or as an unquoted argument to the command. The following commands are equivalent:
# tshark -f "not port 22"
# tshark -- not port 22
The reason tshark complained about your command above is that your shell (probably Bash) expanded "!22" to command number 22 in your command history, which in this case was "ls". The Bash documentation has more information on history expansion.
Solution 2
I don't have access to a tshark installation currently, but assuming that it's the same as the tcpdump:
sudo tcpdump not port 22
so, potentially:
tshark not port 22
Tiffany Walker
Updated on September 18, 2022Comments
-
Tiffany Walker over 1 year
I'm trying to debug some by looking at the packets and I would like to avoid getting all the SSH traffic to the server. Is there a way to ignore?
I tried to do something like
tshark -f "port !22"
but it stopped listening after the command.[root@vpn ~]# tshark -f "port !22" tshark -f "port ls" Running as user "root" and group "root". This could be dangerous. Capturing on venet0 tshark: arptype 65535 not supported by libpcap - falling back to cooked socket. tshark: Invalid capture filter: "port ls"! That string isn't a valid capture filter (unknown port 'ls'). See the User's Guide for a description of the capture filter syntax. 0 packets captured [root@vpn ~]#
-
89c3b1b8-b1ae-11e6-b842-48d705 over 11 yearsI knew TShark used libpcap, but I didn't know that the syntax was dictated by the underlying library. Good to know.