Tcpdump is a command-line packet analysis tool. We can use tcpdump to capture ssh traffic to troubleshoot connection issues and look for potential security issues on a network.
- What is SSH?
- What is the default port number for ssh?
- How to capture SSH traffic with Tcpdump?
What is SSH?
SSH is a protocol purpose-built for secure remote login and communicating or transmitting other secure network services over an insecure network.
The benefit of SSH is we can connect to a server from anywhere and control the majority of its functions without having to be in front of the machine. Check this post to learn about which ssh key is secure.
What is the default port number for ssh?
The default port number for ssh protocol is 22 on Linux. This can be changed in the ssh configuration file /etc/ssh/sshd_config. Many hosting companies change this number to another port for security issues. Check this post to learn about Setup SSH Keys to Login Linux Without Password.
We can log in to the remote server using ssh command ssh howtouselinux.com.
How to capture SSH Traffic with Tcpdump?
We can filter tcp port 22 in tcpdump command to capture all the ssh traffic.
tcpdump -i eth0 tcp port 22
tcpdump -i eth0 ‘tcp[2:2] = 22’
The output of tcpdump is format dependant. A typical output line for TCP looks like this.
21:38:44.202888 IP 10.79.97.62.60915 > 126.96.36.199.22: Flags [S], seq 1580803359, win 65535, options [mss 1366,nop,wscale 6,nop,nop,TS val 552701199 ecr 0,sackOK,eol], length 0
We can save the captured packets into a file rather than printing them out by using the “-w” flag.
tcpdump -i eth0 -w /tmp/ssh.pcap tcp port 22