Secure Shell (SSH)
Secure Shell (SSH) is a replacement for older remote shell programs such as telnet. SSH uses encryption to protect the contents (most notably passwords) being sent over its connection.
History
XXX - add a brief description of SSH history
Protocol dependencies
TCP: Typically, SSH uses TCP as its transport protocol. The well known TCP port for SSH traffic is 22.
Example traffic
XXX - Add example traffic here (as plain text or Wireshark screenshot).
Wireshark
The SSH dissector in Wireshark is functional, dissecting most of the connection setup packets which are not encrypted.
The SSH dissector is, unlike the SSL dissector, not able to decrypt the encrypted packets/payload.
Preference Settings
The SSH dissector has a preference to determine whether it should reassemble PDUs spread across multiple TCP segments. For this to work the TCP option "Allow subdissectors to reassemble TCP streams" must be enabled.
Example capture file
XXX - Add a simple example capture file to the SampleCaptures page and link from here. Keep it short, it's also a good idea to gzip it to make it even smaller, as Wireshark can open gzipped files automatically.
Display Filter
A complete list of SSH display filter fields can be found in the display filter reference
Show only the SSH based traffic:
ssh
Capture Filter
You cannot directly filter SSH protocols while capturing. However, if you know the TCP port used (see above), you can filter on that one.
External links
- add link to SSH specification and where to find additional info on the web about SSH
The IETF has a working group for this, which has published a number of drafts on the protocol. The most popular SSH version is OpenSSH.