The OGN-R IP is 192.168.0.67 and my ssh is 192.168.0.100, so I have used the following
tcpdump -i eth0 "(not ((src 192.168.0.100) or (dst 192.168.0.100))) and ((src 192.168.0.67) or (dst 192.168.0.67))"
does this sound right ?
I don't think that s right, but struggling to get a head that feels like it is full of cotton wool around it!
To count traffic going to the Internet, you need to count all packets going to the MAC address of the gateway, whilst excluding anything going to the IP address of the gateway.
(ie the routing table has said the next hop for the packet is the gateway, but not counting anything that is stopping at the gateway its self - ie IGMP, ARP, RARP's, etc)
If you have other traffic going to the Internet that you don't want to count you have to exclude that too. ie if you are sshing in from a host on the internet rather than the local network.
Hope that makes sense.
Cheers
Kev