We can filter tcp port 22 in tcpdump command to capture all the ssh traffic.
tcpdump -i eth0 tcp port 22
tcpdump -i eth0 'tcp[2:2] = 22'
The output of tcpdump is format dependant. A typical output line for TCP looks like this.
21:38:44.202888 IP 10.79.97.62.60915 > 216.58.220.206.22: Flags [S], seq 1580803359, win 65535, options [mss 1366,nop,wscale 6,nop,nop,TS val 552701199 ecr 0,sackOK,eol], length 0
We can save the captured packets into a file rather than printing them out by using the “-w” flag.
tcpdump -i eth0 -w /tmp/ssh.pcap tcp port 22