This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark ssh.host_key.data display filter

0

I am trying to capture traffic between two CentOS vms that are using ssh key-based authentication. I looked up display filters on https://www.wireshark.org/docs/dfref/s/ssh.html and found the ssh.host_key.data filter, but I cannot make it work for tshark. Is there a way I can make this possible? Thanks, Scott

asked 30 Jan '17, 19:00

scottctaylor12's gravatar image

scottctaylor12
6112
accept rate: 0%


One Answer:

0

ssh.host_key.data is only used (in Wireshark 2.2.X) when the Host-Key is not of type "ssh-rsa". So it depends on the host key of your SSH server.

Furthermore this part has been refactored in the current Development Version (2.3.X s. https://www.wireshark.org/download/automated/) to catch other key types too.

answered 02 Feb '17, 01:50

Uli's gravatar image

Uli
9031515
accept rate: 29%