5

I'm trying to debug some by looking at the packets and I would like to avoid getting all the SSH traffic to the server. Is there a way to ignore?

I tried to do something like tshark -f "port !22" but it stopped listening after the command.

[root@vpn ~]# tshark -f "port !22"
tshark -f "port ls"
Running as user "root" and group "root". This could be dangerous.
Capturing on venet0
tshark: arptype 65535 not supported by libpcap - falling back to cooked socket.

tshark: Invalid capture filter: "port ls"!

That string isn't a valid capture filter (unknown port 'ls').
See the User's Guide for a description of the capture filter syntax.
0 packets captured
[root@vpn ~]#
Tiffany Walker
  • 6,541
  • 13
  • 53
  • 77

2 Answers2

8

Both tshark and tcpdump use the pcap library, so the capture filters use pcap-filter syntax. The filter you want is, as @tristan says, "not port 22". You can enter this as a quoted string argument to the -f option, or as an unquoted argument to the command. The following commands are equivalent:

# tshark -f "not port 22"
# tshark -- not port 22

The reason tshark complained about your command above is that your shell (probably Bash) expanded "!22" to command number 22 in your command history, which in this case was "ls". The Bash documentation has more information on history expansion.

bonsaiviking
  • 4,355
  • 16
  • 26
2

I don't have access to a tshark installation currently, but assuming that it's the same as the tcpdump:

sudo tcpdump not port 22

so, potentially:

tshark not port 22 
  • 2
    Tcpdump and Tshark (and Wireshark and Snort and ...) use libpcap for packet capture and as a result all share the same capture filter syntax. Higher level filtering (such as Wireshark's display filters or Snort's rules) is a different story. – Gerald Combs Jan 07 '13 at 21:14
  • I knew TShark used libpcap, but I didn't know that the syntax was dictated by the underlying library. Good to know. – 89c3b1b8-b1ae-11e6-b842-48d705 Jan 07 '13 at 21:16