Secure Shell (SSH)

Secure Shell (SSH) is a replacement for older remote shell programs such as telnet. SSH uses encryption to protect the contents (most notably passwords) being sent over its connection.

History

XXX - add a brief description of SSH history

Protocol dependencies

Example traffic

XXX - Add example traffic here (as plain text or Wireshark screenshot).

Wireshark

The SSH dissector in Wireshark is functional, dissecting most of the connection setup packets which are not encrypted.

Unlike the SSL dissector, no code has been written to decrypt encrypted SSH packets/payload.

Preference Settings

The SSH dissector has a preference to determine whether it should reassemble PDUs spread across multiple TCP segments. For this to work the TCP option "Allow subdissectors to reassemble TCP streams" must be enabled.

Example capture file

XXX - Add a simple example capture file to the SampleCaptures page and link from here. Keep it short, it's also a good idea to gzip it to make it even smaller, as Wireshark can open gzipped files automatically.

Display Filter

A complete list of SSH display filter fields can be found in the display filter reference

Capture Filter

You cannot directly filter SSH protocols while capturing. However, if you know the TCP port used (see above), you can filter on that one.

The IETF has a working group for this, which has published a number of drafts on the protocol. The most popular SSH version is OpenSSH.

Discussion

SSH (last edited 2014-06-17 17:43:30 by JoergMayer)