Skip to Content

Filtering SSH Packets with Tcpdump on Port 22

Tcpdump is a command-line packet analysis tool. We can use tcpdump to capture ssh traffic to troubleshoot connection issues and look for potential security issues on a network.

  • What is SSH?
  • What is the default port number for ssh?
  • How to capture SSH traffic with Tcpdump?


What is SSH?

SSH, which stands for Secure Shell, is a protocol that lets you remotely access and manage computers over a secure network connection.

It provides a secure way to establish a connection between your local computer and a remote server, allowing you to execute commands, transfer files, and perform administrative tasks on the remote machine.

In simpler terms, SSH is like a magic tunnel that enables you to control another computer as if you were sitting right in front of it. It’s widely used by system administrators, developers, and anyone who needs secure remote access to their machines.

 Check this post to learn about which ssh key is secure.

What is the default port number for ssh?

In the networking world, a port number is a numeric identifier used to specify a particular endpoint within a computer network. Each port number is associated with a specific protocol and corresponds to a particular service or application running on a device.

The default port number for SSH (Secure Shell) is 22. When establishing an SSH connection, if no port number is specified, the client assumes port 22 by default. However, it’s important to note that the SSH server can be configured to listen on a different port if desired.

In some cases, system administrators might choose to change the default port to enhance security or to accommodate specific network configurations.

Check this post to learn about Setup SSH Keys to Login Linux Without Password.

We can log in to the remote server using ssh command ssh

How to capture SSH Traffic with Tcpdump?

To capture SSH traffic using tcpdump, you can follow these steps:

  • Open a terminal or command prompt on the machine where you want to capture SSH traffic.
  • Run the following tcpdump command to capture SSH traffic:

sudo tcpdump -i <interface> port 22

  • Replace <interface> with the network interface that is used for your SSH connections (e.g., eth0, wlan0).

Note: Running tcpdump typically requires root or administrator privileges, hence the use of sudo.

tcpdump will start capturing SSH traffic on the specified interface and display the captured packets in the terminal window.

Perform SSH connections or activities that you want to capture. Any SSH traffic passing through the specified interface will be captured by tcpdump.

  • Press Ctrl+C to stop the tcpdump command and end the packet capture.
  • Analyze the captured packets to inspect the SSH traffic. tcpdump will display information such as source and destination IP addresses, port numbers, packet timestamps, and packet contents.


We can filter tcp port 22 in tcpdump command to capture all the ssh traffic.

tcpdump -i eth0 tcp port 22

tcpdump -i eth0 'tcp[2:2] = 22'

The output of tcpdump is format dependent. A typical output line for TCP looks like this.

21:38:44.202888 IP > Flags [S], seq 1580803359, win 65535, options [mss 1366,nop,wscale 6,nop,nop,TS val 552701199 ecr 0,sackOK,eol], length 0

Let’s break it down:

21:38:44.202888: This indicates the timestamp of the captured packet, showing the time when the packet was captured.

IP > This indicates the IP addresses and port numbers involved in the communication. In this case, it shows that a packet is being sent from IP address, port 60915, to IP address, port 22. The “IP” indicates that it is an IP packet.

Flags [S]: This shows the TCP flags set in the packet. In this case, the [S] flag indicates that it is a TCP SYN packet, which is used to initiate a TCP connection.

seq 1580803359: This indicates the sequence number of the packet, which helps in tracking the order of packets in a TCP connection.

win 65535: This indicates the receiving window size, which determines the amount of data that the receiver is capable of accepting.

options [mss 1366,nop,wscale 6,nop,nop,TS val 552701199 ecr 0,sackOK,eol]: These are various TCP options present in the packet. The options can include features like Maximum Segment Size (MSS), Window Scaling (wscale), Time Stamp (TS), Selective Acknowledgment (SACK), and others.

length 0: This indicates the length of the packet payload, which in this case is 0 bytes.


We can also save the captured packets into a file rather than printing them out by using the “-w” flag.

tcpdump -i eth0 -w /tmp/ssh.pcap tcp port 22

This command captures SSH traffic on the eth0 interface and writes it to the file /tmp/ssh.pcap. The -w option specifies the output file to save the captured packets.

After running this command, any SSH traffic on port 22 that passes through the eth0 interface will be captured and saved in the specified pcap file. You can later analyze the pcap file using tools like Wireshark to inspect the captured SSH traffic in more detail.

Tcpdump provides several options that enhance or modify its output. The following are the commonly used options for tcpdump command.

Option Description
-i Listen on the specified interface.
-n Don’t resolve hostnames. You can use -nn to don’t resolve hostnames or port names.
-t Print human-readable timestamp on each dump line, -tttt: Give maximally human-readable timestamp output.
-X Show the packet’s contents in both hex and ascii.
-v, -vv, -vvv enables verbose logging/details (which among other things will give us a running total on how many packets are captured
-c N Only get N number of packets and then stop.
-s Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
-S Print absolute sequence numbers.
-q Show less protocol information.
-w Write the raw packets to file
-C file_size(M) tells tcpdump to store up to x MB of packet data per file.
-G rotate_seconds Create a new file every time the specified number of seconds has elapsed.

Related Post: