Secure Shell (SSH) is a replacement for older remote shell programs such as telnet. SSH uses encryption to protect the contents (most notably passwords) being sent over its connection.
XXX - add a brief description of SSH history
- TCP: Typically, SSH uses TCP as its transport protocol. The well known TCP port for SSH traffic is 22.
XXX - Add example traffic here (as plain text or Wireshark screenshot).
The SSH dissector in Wireshark is functional, dissecting most of the connection setup packets which are not encrypted.
Unlike the TLS dissector, no code has been written to decrypt encrypted SSH packets/payload (yet). This is also not possible unless the shared secret (from the Diffie-Hellman key exchange) is extracted from the SSH server or client (see, as an example of a mechanism to extract internal information of that sort, the "SSLKEYLOGFILE" method in TLS). Work on SSH2 decryption is tracked at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16054
The SSH dissector has a preference to determine whether it should reassemble PDUs spread across multiple TCP segments. For this to work the TCP option "Allow subdissectors to reassemble TCP streams" must be enabled.
XXX - Add a simple example capture file to the SampleCaptures page and link from here. Keep it short, it's also a good idea to gzip it to make it even smaller, as Wireshark can open gzipped files automatically.
A complete list of SSH display filter fields can be found in the display filter reference
Show only the SSH based traffic:
You cannot directly filter SSH protocols while capturing. However, if you know the TCP port used (see above), you can filter on that one.
Imported from https://wiki.wireshark.org/SSH on 2020-08-11 23:25:52 UTC