Re: PuTTY internals

From: Simon Tatham (
Date: 05/05/04

Date: 05 May 2004 11:31:19 +0100 (BST)

Brendan Gregg <> wrote:
> Perhaps someone knows this offhand: I've been analysing SSH traffic for
> command line sessions and found that PuTTY appears to be sending each
> keystroke twice.

How have you been `analysing' the traffic? Just looking at the
encrypted data stream as it goes over the wire, or looking inside
the encryption somehow?

PuTTY can certainly be expected to send two SSH messages per
keystroke when you're typing a command at a command prompt: one is
the SSH_MSG_CHANNEL_DATA containing the character, and the other is
the SSH_MSG_CHANNEL_WINDOW_ADJUST acknowledging receipt of the
server data packet containing the echo. I would expect the server to
be sending the same two packets in response. However, the server
sends those two packets so close together in time that its TCP layer
may be clever enough to amalgamate them into a single TCP segment,
whereas PuTTY must send CHANNEL_DATA first and then WINDOW_ADJUST on
receiving the echoed character, and _then_ wait until the user types
the next character before sending a packet.

So if you're only looking at the number of TCP packets sent and have
no way of understanding their contents, then I think this is all
easily explained.

You might find PuTTY's SSH packet logging mode to be useful. This
will log the decrypted form of every SSH message to a file, and you
can match it up afterwards with the TCP packet logs. Together with
the SSH protocol drafts, this ought to give you a clear
understanding of what PuTTY is doing.

Simon Tatham         "The voices in my head are trying to ignore me.
<>    But if I keep talking, I can drive them insane."