Ethereal-users: Re: [Ethereal-users] Only capture SSH on any port
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
Tomas Björnerbäck wrote:
How should I create a capture filter that only captures SSH traffic, but
ALL SSH traffic, no matter what port it’s on?
Can it be done?
Not as far as I know. The *only* way to do that would be to detect, by
looking at the network traffic, packet that's SSH traffic, unless all
SSH traffic not to a standard SSH port is preceded by traffic that you
also capture that somehow specifies that future traffic to particular
ports, or particular endpoints, will be SSH traffic, and *that* traffic
can be identified with certainty - you can't base it on the port number
if it's truly to handle *any* port. I don't know of any pattern in
packet content that would identify SSH traffic and only SSH traffic, nor
do I think there's any guarantee that there will be identifiable traffic
that will always be captured that will indicate that some subsequent
traffic will be SSH traffic.
It's probably hard enough for a human to recognize SSH traffic in the
middle of a flow; expecting a computer program to do it is probably
expecting too much.
