using wireshark/tshark in command line to ignore ssh connections
Solution 1:
Both tshark and tcpdump use the pcap
library, so the capture filters use pcap-filter syntax. The filter you want is, as @tristan says, "not port 22"
. You can enter this as a quoted string argument to the -f
option, or as an unquoted argument to the command. The following commands are equivalent:
# tshark -f "not port 22"
# tshark -- not port 22
The reason tshark complained about your command above is that your shell (probably Bash) expanded "!22" to command number 22 in your command history, which in this case was "ls". The Bash documentation has more information on history expansion.
Solution 2:
I don't have access to a tshark installation currently, but assuming that it's the same as the tcpdump:
sudo tcpdump not port 22
so, potentially:
tshark not port 22