Ethereal-users: Re: [Ethereal-users] Only capture SSH on any port

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Fri, 10 Dec 2004 03:03:58 -0800
Tomas Björnerbäck wrote:
How should I create a capture filter that only captures SSH traffic, but ALL SSH traffic, no matter what port it’s on? 

Can it be done?
Not as far as I know. The *only* way to do that would be to detect, by looking at the network traffic, packet that's SSH traffic, unless all SSH traffic not to a standard SSH port is preceded by traffic that you also capture that somehow specifies that future traffic to particular ports, or particular endpoints, will be SSH traffic, and *that* traffic can be identified with certainty - you can't base it on the port number if it's truly to handle *any* port. I don't know of any pattern in packet content that would identify SSH traffic and only SSH traffic, nor do I think there's any guarantee that there will be identifiable traffic that will always be captured that will indicate that some subsequent traffic will be SSH traffic.
It's probably hard enough for a human to recognize SSH traffic in the middle of a flow; expecting a computer program to do it is probably expecting too much.