Q18

You are reviewing packets captured by a co-worker. The traffic is from a Linux server that hosts private customer data, and your job is to analyze the content for potential security risks. The .pcap file appears to be a bit small for what you wanted. (It contains traffic to and from the target system during a given time period.) Some of that traffic is shown below. You suspect that only SSH traffic is represented in this capture, which was done with tcpdump. What command do you think your co-worker used to capture only SSH traffic:

	tcpdump port 22
	tcpdump -p 21
	tcpdump -i eth0
	tcpdump port 21

09:19:16.701718 IP kali.rmksupplies.com.33742 > 192.168.1.234.ssh: Flags [S], seq 3661466204, win 64240, options [mss 1460, sack0K, TS val 108304521 ecr , nop, wscale 7], length 09:19:16.704293 IP 192.168.1.234.ssh > kali.rmksupplies.com.33742: Flags [S.], seq 3633554507, ack 3661466205, win 65535, options [mss 1460, nop, wS cale 8 , nop, nop, sackoK], length 0 09:19:16.704337 IP kali.rmksupplies.com.33742 > 192.168.1.234.ssh: Flags [.],ack1, win 502 , length 0 09:19:16.704742 IP kali.rmksupplies.com.33742 > 192.168.1.234.ssh: Flags [P.], seq 1:33, ack 1, win 502, length 32: SSH: SSH-2.0-0penSSH_8.4p1 Deb ian -4 09:19:16.752770 IP 192.168.1.234.ssh > kali.rmksupplies.com.33742: Flags [.],ack33,win1026,length0 09:19:16.912936 IP 192.168.1.234.ssh > kali.rmksupplies.com.33742: Flags [P.], seq 1:34, ack 33, win 1026, length 33: SSH: SSH-2.0-0penSSH_for_Win dows 7.7 09:19:16.913003 IP kali.rmksupplies.com.33742>192.168.1.234.ssh: Flags [.],ack34,win502, length 09:19:16.915294 IP kali. rmksupplies.com.33742>192.168.1.234.ssh: Flags [P.],seq33:1545, ack 34 , win 502 , length 1512