Wireshark-bugs: [Wireshark-bugs] [Bug 5064] New: Some SSH Connections associated with "Windows S
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5064
Summary: Some SSH Connections associated with "Windows Secure
Shell Client" aren't dissected properly
Product: Wireshark
Version: 1.2.7
Platform: x86-64
OS/Version: Ubuntu
Status: NEW
Severity: Minor
Priority: Low
Component: TShark
AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
ReportedBy: hantwister@xxxxxxxxxxx
Created an attachment (id=4979)
--> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=4979)
PCAP containing SSH sessions not properly dissected
Build Information:
tshark -v:
TShark 1.2.7
Copyright 1998-2010 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled with GLib 2.24.0, with libpcap 1.0.0, with libz 1.2.3.3, with POSIX
capabilities (Linux), with libpcre 7.8, with SMI 0.4.8, with c-ares 1.7.0, with
Lua 5.1, with GnuTLS 2.8.5, with Gcrypt 1.4.4, with MIT Kerberos, with GeoIP.
Running on Linux 2.6.32-23-generic, with libpcap version 1.0.0, GnuTLS 2.8.5,
Gcrypt 1.4.4.
Built using gcc 4.4.3.
apt-cache policy tshark:
tshark:
Installed: 1.2.7-1
Candidate: 1.2.7-1
Version table:
*** 1.2.7-1 0
500 http://us.archive.ubuntu.com/ubuntu/ lucid/universe Packages
100 /var/lib/dpkg/status
--
See:
http://www.wireshark.org/lists/wireshark-users/201007/msg00223.html
http://www.wireshark.org/lists/wireshark-users/201007/msg00227.html
In short, when capturing SSH Sessions between a Ubuntu 10.04 OpenSSH Server and
"SSH Secure Shell for Windows" Client (previously available on ssh.com), on
occasion Wireshark/Tshark deems part of the handshake malformed, and after the
handshake marks all data packets as "[TCP segment of a reassembled PDU]". (This
appeared both in the output of tshark at the time of capture, and in Wireshark
later when analyzing the .pcap file generated by tshark)
Tshark was run originally like this:
tshark -o column.format:'"Connection", "%Cus:tcp.stream", "Time", "%t",
"Source", "%s", "S_port", "%uS", "Destination", "%d", "D_port", "%uD",
"Protocol", "%p", "tcp.seq", "%Cus:tcp.seq", "tcp.ack", "%Cus:tcp.ack",
"tcp.flags", "%Cus:tcp.flags", "tcp.len", "%Cus:tcp.len", "Info", "%i"' -n -l
-f tcp -i eth0 -w /root/owned/folder/test.pcap -S
The file it produced is attached. Problematic sessions can be seen with:
tcp.stream eq 4
tcp.stream eq 5
tcp.stream eq 7
tcp.stream eq 18
tcp.stream eq 25
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.