I'm trying to learn to use tcpdump. I thought I'd eavesdrop on my ssh login. The setup is a bit unusual, I have OS X Lion running VirtualBox, with Ubuntu running in the VM. I have ssh enabled and can login from OS X normally:

> ssh -p 22 10.0.1.2 -l telliott
Welcome to Ubuntu 11.10 (GNU/Linux 3.0.0-17-generic i686)

 * Documentation:  https://help.ubuntu.com/

0 packages can be updated.
0 updates are security updates.

Last login: Sat Mar 31 19:54:36 2012 from toms-mac-mini.local
telliott@U32:~$ logout
Connection to 10.0.1.2 closed.
>

I have not obfuscated the ssh port on Ubuntu. From OS X, stroke gives what I expect:

> ./stroke 10.0.1.2 22 22
Port Scanning host: 10.0.1.2

     Open TCP Port:     22          ssh

So from OS X I do:

> sudo tcpdump -i en1 -v port 22
Password:
tcpdump: listening on en1, link-type EN10MB (Ethernet), capture size 65535 bytes

Then I login from OS X to Ubuntu using ssh, but I see nothing with tcpdump. Here is ifconfig from Ubuntu:

telliott@U32:~$ ifconfig
eth1      Link encap:Ethernet  HWaddr 08:00:27:d7:ba:0e  
          inet addr:10.0.1.2  Bcast:10.0.1.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fed7:ba0e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:799 errors:0 dropped:0 overruns:0 frame:0
          TX packets:465 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:96863 (96.8 KB)  TX bytes:68638 (68.6 KB)

Where are the packets I was hoping to see? Thanks for any help.