Howto sniffer ssh traffic by tcpdump

Howto sniffer ssh traffic by tcpdump

tcpdump

To listen and sniffer ssh traffic to your Centos server, you can use tcpdump to listen that.

-i : interface name which you want to listen tcpdump.

[root@ithelpblog ~]# tcpdump -i eno16777736 port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eno16777736, link-type EN10MB (Ethernet), capture size 65535 bytes
01:48:52.599909 IP 10.236.10.16.ssh > 10.236.10.15.11705: Flags [P.], seq 1424983401:1424983609, ack 3233968188, win 260, length 208
01:48:52.600727 IP 10.236.10.15.11705 > 10.236.10.16.ssh: Flags [.], ack 208, win 63, length 0
01:48:52.628458 IP 10.236.10.16.ssh > 10.236.10.15.11705: Flags [P.], seq 208:496, ack 1, win 260, length 288
01:48:52.629134 IP 10.236.10.16.ssh > 10.236.10.15.11705: Flags [P.], seq 496:672, ack 1, win 260, length 176
01:48:52.629674 IP 10.236.10.15.11705 > 10.236.10.16.ssh: Flags [.], ack 672, win 61, length 0
01:48:52.629989 IP 10.236.10.16.ssh > 10.236.10.15.11705: Flags [P.], seq 672:944, ack 1, win 260, length 272
01:48:52.631131 IP 10.236.10.16.ssh > 10.236.10.15.11705: Flags [P.], seq 944:1120, ack 1, win 260, length 176
01:48:52.631943 IP 10.236.10.15.11705 > 10.236.10.16.ssh: Flags [.], ack 1120, win 64, length 0
01:48:52.632361 IP 10.236.10.16.ssh > 10.236.10.15.11705: Flags [P.], seq 1120:1392, ack 1, win 260, length 272
01:48:52.633262 IP 10.236.10.16.ssh > 10.236.10.15.11705: Flags [P.], seq 1392:1568, ack 1, win 260, length 176
01:48:52.633892 IP 10.236.10.15.11705 > 10.236.10.16.ssh: Flags [.], ack 1568, win 63, length 0
01:48:52.634291 IP 10.236.10.16.ssh > 10.236.10.15.11705: Flags [P.], seq 1568:1840, ack 1, win 260, length 272
01:48:52.635241 IP 10.236.10.16.ssh > 10.236.10.15.11705: Flags [P.], seq 1840:2016, ack 1, win 260, length 176
01:48:52.635927 IP 10.236.10.15.11705 > 10.236.10.16.ssh: Flags [.], ack 2016, win 61, length 0
01:48:52.636682 IP 10.236.10.16.ssh > 10.236.10.15.11705: Flags [P.], seq 2016:2288, ack 1, win 260, length 272
01:48:52.637647 IP 10.236.10.16.ssh > 10.236.10.15.11705: Flags [P.], seq 2288:2464, ack 1, win 260, length 176
01:48:52.638119 IP 10.236.10.15.11705 > 10.236.10.16.ssh: Flags [.], ack 2464, win 64, length 0
01:48:52.638402 IP 10.236.10.16.ssh > 10.236.10.15.11705: Flags [P.], seq 2464:2736, ack 1, win 260, length 272
01:48:52.638923 IP 10.236.10.16.ssh > 10.236.10.15.11705: Flags [P.], seq 2736:2912, ack 1, win 260, length 176
01:48:52.639290 IP 10.236.10.15.11705 > 10.236.10.16.ssh: Flags [.], ack 2912, win 63, length 0
01:48:52.639579 IP 10.236.10.16.ssh > 10.236.10.15.11705: Flags [P.], seq 2912:3184, ack 1, win 260, length 272
01:48:52.640110 IP 10.236.10.16.ssh > 10.236.10.15.11705: Flags [P.], seq 3184:3360, ack 1, win 260, length 176
01:48:52.640657 IP 10.236.10.15.11705 > 10.236.10.16.ssh: Flags [.], ack 3360, win 61, length 0
01:48:52.641026 IP 10.236.10.16.ssh > 10.236.10.15.11705: Flags [P.], seq 3360:3632, ack 1, win 260, length 272
01:48:52.641875 IP 10.236.10.16.ssh > 10.236.10.15.11705: Flags [P.], seq 3632:3808, ack 1, win 260, length 176
01:48:52.642637 IP 10.236.10.15.11705 > 10.236.10.16.ssh: Flags [.], ack 3808, win 64, length 0
01:48:52.643222 IP 10.236.10.16.ssh > 10.236.10.15.11705: Flags [P.], seq 3808:4080, ack 1, win 260, length 272
01:48:52.644031 IP 10.236.10.16.ssh > 10.236.10.15.11705: Flags [P.], seq 4080:4256, ack 1, win 260, length 176
01:48:52.644635 IP 10.236.10.15.11705 > 10.236.10.16.ssh: Flags [.], ack 4256, win 63, length 0
01:48:52.644982 IP 10.236.10.16.ssh > 10.236.10.15.11705: Flags [P.], seq 4256:4528, ack 1, win 260, length 272
01:48:52.645705 IP 10.236.10.16.ssh > 10.236.10.15.11705: Flags [P.], seq 4528:4704, ack 1, win 260, length 176
01:48:52.646225 IP 10.236.10.15.11705 > 10.236.10.16.ssh: Flags [.], ack 4704, win 61, length 0
01:48:52.646651 IP 10.236.10.16.ssh > 10.236.10.15.11705: Flags [P.], seq 4704:4976, ack 1, win 260, length 272
01:48:52.647206 IP 10.236.10.16.ssh > 10.236.10.15.11705: Flags [P.], seq 4976:5152, ack 1, win 260, length 176
01:48:52.647802 IP 10.236.10.15.11705 > 10.236.10.16.ssh: Flags [.], ack 5152, win 64, length 0
01:48:52.648141 IP 10.236.10.16.ssh > 10.236.10.15.11705: Flags [P.], seq 5152:5424, ack 1, win 260, length 272
01:48:52.648828 IP 10.236.10.16.ssh > 10.236.10.15.11705: Flags [P.], seq 5424:5600, ack 1, win 260, length 176
01:48:52.649384 IP 10.236.10.15.11705 > 10.236.10.16.ssh: Flags [.], ack 5600, win 63, length 0
01:48:52.649741 IP 10.236.10.16.ssh > 10.236.10.15.11705: Flags [P.], seq 5600:5872, ack 1, win 260, length 272

Thanks for using Ithelpblog.com.

 

Tags:  

Leave a reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>