tcpdump in ssh

[Red Squirrel]

Is there a way to tell tcpdump to NOT register ssh traffic? It's hard to try and read the output when 99% of it is my actual ssh session. I can write to file then download and open in ethereal but it's so much easier to just do it live.

 

[Nothinman]

Look at the filtering options in tcpdump, you can filter on pretty much any aspect of traffic that you can think of.

 

[Crusty]

Yep, it's easier to build filters to only catch the traffic you're are interested in.

 

[Nothinman]

Yep, it's easier to build filters to only catch the traffic you're are interested in.

Generally, yes. But sometimes you're not sure what you're looking for so it's simpler to specify what you're not looking for and that's just as easy with pcap filters in tcpdump or wireshark.

 

[Red Squirrel]

Found out that you can add ethereal style filters at the end, so got it working.

And yeah I rather filter out what I don't want then filter in only what I want, as I might miss other stuff.

I've also found that disabling lookups helps a lot to decrease network traffic / logging.

 

[Crusty]

Originally posted by: RedSquirrel
Found out that you can add ethereal style filters at the end, so got it working.

And yeah I rather filter out what I don't want then filter in only what I want, as I might miss other stuff.

I've also found that disabling lookups helps a lot to decrease network traffic / logging.

Yeah, I guess I'm used to looking at packets for specific protocols to debug application issues where it makes sense to filter only what I'm looking for.

 

[Red Squirrel]

That would make sense as well, depends what you're doing, good to know both options are there for different situations.