How to Filter Non-SSH Traffic in Wireshark

Preventing outbound ssh connections, and thus any tunnels, would require a complete blockade of outbound connections via deep packet inspection. Looking at ports will be 100% useless. You have to look at the actual packet payload to know it's SSH. (this is what websense is doing.)

The only other option is setting up a "proxy" host. Lock down the configuration so the ssh client and server will not allow tunneling, then allow only that machine to make outbound ssh connections -- of course, this includes securing the system as well, otherwise people can run whatever ssh software they want.

But when i go to promiscous or monitor mode i will be disconnected from my router and cant see any traffic except dhcp and such stuff. but no relevant tcp, udp,.. stuff.

For promiscuous mode, which is mainly a wired-network feature (it doesn't work well on Wi-Fi adapters), you won't be "disconnected" in the sense that you will no longer be connected to the network. However, Ethernet doesn't generally work the way it originally did, and promiscuous mode doesn't work as well as it used to. Promiscuous mode is a mode your network adapter works in, in which it hands packets to the host no matter what the destination MAC address, but if the switch won't even send you the packets that aren't broadcast or multicast or addressed to you, there's nothing your adapter can do.

For monitor mode, which is a Wi-Fi feature (it doesn't exist on wired adapters), whether you are "disconnected" in monitor mode, in the sense that you will no longer be connected to the network, depends on your network adapter, OS, and driver. Wi-Fi networks are on a shared medium, unlike switched Ethernet networks, so you'll be able to capture all the packets; however, most Wi-Fi networks are "protected", using WEP or WPA/WPA2, meaning the traffic is encrypted, and you'll need a tool that can decrypt that traffic (such as Wireshark) and the password for the network and, for modern networks using WPA or WPA2, the initial connecting-to-the-network handshake for each device whose traffic you want to decrypt.

Your problem sounds like "can see only broadcast traffic" (such as broadcast DHCP requests), so you're probably on a switched Ethernet, and will have to use one of the techniques mentioned in the Wireshark Wiki's page on Ethernet capturing.

However, you later refer to being associated with the network, which sounds like Wi-Fi. In that case, promiscuous mode won't help; you'll need monitor mode and all the stuff necessary for decrypting traffic.