the traffic is encrypted and wont be so easy to analyze for the information you seek ;)

Seems to me you want to analyze the log your ssh-daemon logs to, not the traffic; mine logs to /var/log/auth.log, the messages you're after look something like that:

Jul 29 09:02:29 machinename sshd[30173]: Accepted password for usernam
+e from ::ffff:192.168.0.1 port 39664 ssh2
Jul 29 09:02:29 machine sshd(pam_unix)[9312]: session opened for user 
+username by (uid=500)
[...]
Jul 29 09:07:35 machine sshd(pam_unix)[7137]: session closed for user 
+username
[download]

How to watch and parse this depends on your situation.

regards,
tomte

---

Hlade's Law:

If you have a difficult task, give it to a lazy person --
they will find an easier way to do it.