Wireshark-bugs: [Wireshark-bugs] [Bug 5064] New: Some SSH Connections associated with "Windows S
Date: Wed, 28 Jul 2010 11:49:32 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5064

           Summary: Some SSH Connections associated with "Windows Secure
                    Shell Client" aren't dissected properly
           Product: Wireshark
           Version: 1.2.7
          Platform: x86-64
        OS/Version: Ubuntu
            Status: NEW
          Severity: Minor
          Priority: Low
         Component: TShark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: hantwister@xxxxxxxxxxx


Created an attachment (id=4979)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=4979)
PCAP containing SSH sessions not properly dissected

Build Information:
tshark -v:
TShark 1.2.7

Copyright 1998-2010 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GLib 2.24.0, with libpcap 1.0.0, with libz 1.2.3.3, with POSIX
capabilities (Linux), with libpcre 7.8, with SMI 0.4.8, with c-ares 1.7.0, with
Lua 5.1, with GnuTLS 2.8.5, with Gcrypt 1.4.4, with MIT Kerberos, with GeoIP.

Running on Linux 2.6.32-23-generic, with libpcap version 1.0.0, GnuTLS 2.8.5,
Gcrypt 1.4.4.

Built using gcc 4.4.3.

apt-cache policy tshark:
tshark:
  Installed: 1.2.7-1
  Candidate: 1.2.7-1
  Version table:
 *** 1.2.7-1 0
        500 http://us.archive.ubuntu.com/ubuntu/ lucid/universe Packages
        100 /var/lib/dpkg/status

--
See:
http://www.wireshark.org/lists/wireshark-users/201007/msg00223.html
http://www.wireshark.org/lists/wireshark-users/201007/msg00227.html

In short, when capturing SSH Sessions between a Ubuntu 10.04 OpenSSH Server and
"SSH Secure Shell for Windows" Client (previously available on ssh.com), on
occasion Wireshark/Tshark deems part of the handshake malformed, and after the
handshake marks all data packets as "[TCP segment of a reassembled PDU]". (This
appeared both in the output of tshark at the time of capture, and in Wireshark
later when analyzing the .pcap file generated by tshark)

Tshark was run originally like this:
tshark -o column.format:'"Connection", "%Cus:tcp.stream", "Time", "%t",
"Source", "%s", "S_port", "%uS", "Destination", "%d", "D_port", "%uD",
"Protocol", "%p", "tcp.seq", "%Cus:tcp.seq", "tcp.ack", "%Cus:tcp.ack",
"tcp.flags", "%Cus:tcp.flags", "tcp.len", "%Cus:tcp.len", "Info", "%i"' -n -l
-f tcp -i eth0 -w /root/owned/folder/test.pcap -S

The file it produced is attached. Problematic sessions can be seen with:
tcp.stream eq 4
tcp.stream eq 5
tcp.stream eq 7
tcp.stream eq 18
tcp.stream eq 25

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.