Re: Help decoding ssh packet capture



On Sun, Mar 21, 2010 at 05:16, Scott Ehrlich <srehrlich@xxxxxxxxx> wrote:
I'm trying to find an RFC or something else definitive that will
explicitly define, when an ssh client tries to establish a connection
to an ssh server, packet by packet, from initial host negotiation to
defining encryption schemes to full encryption.   I then want to
compare that step-by-step authoritative guide to what I see in my
packet sniffer.

I would suggest that the log from ssh -vvv will probably be more
useful to you, been a while since I looked at SSH in a packet capture
but I suspect that the packets will all be very generic (i.e. there
won't be any explicit notation of WHAT a particular packet is WRT the
SSH protocol).

You should be able to use the timestamps from the log to associate the
packets with each step and between the two you should get a pretty
good idea of what's going on.



Relevant Pages

  • Re: Cross Realm MIT <-> Windows Close But No Cigar
    ... Info about the two domains and ssh / smbclient test results follows. ... I created some principals and it confirmed the enctype was archfour-hmac: ... debug2: we sent a gssapi-with-mic packet, ...
    (comp.protocols.kerberos)
  • Re: OT: Security....
    ... you can't really spoof IP addresses on SSH sessions. ... You send a SYN packet, ... Normally since you would not get the SYN ACK ... This would work to the spoofers benefit since the machines ...
    (Fedora)
  • Cross Realm MIT <-> Windows Close But No Cigar
    ... Info about the two domains and ssh / smbclient test results follows. ... I created some principals and it confirmed the enctype was archfour-hmac: ... debug2: we sent a gssapi-with-mic packet, ...
    (comp.protocols.kerberos)
  • Re: PuTTY internals
    ... > command line sessions and found that PuTTY appears to be sending each ... PuTTY can certainly be expected to send two SSH messages per ... the next character before sending a packet. ...
    (comp.security.ssh)
  • Re: OT: Security....
    ... >> what I can tell it appears that when you initiate an ssh attempt the ... Normally since you would not get the SYN ACK ... >> packet the connection would not be completed. ... >> SYN packet I think you would have a good chance of completing the ...
    (Fedora)