Wireshark-users: Re: [Wireshark-users] SSH Session Captures filled with [TCP segment of a reassem
On 27 jul 2010, at 22:17, Harrison Neal wrote:
> I'm looking to understand why this is happening, both the message about
> a packet in the handshake being malformed, and the subsequent "[TCP
> segment of a reassembled PDU]" messages.
> [...]
> Specifically, the SSH sessions that are problematic can be seen with:
> tcp.stream eq 5
> tcp.stream eq 7
> tcp.stream eq 18
> tcp.stream eq 25
All those SSH sessions (as well as the one in tcp stream 4) use a SSHv2 server and a SSHv1.99 client. Somehow wireshark is not able to dissect these sessions correctly. Googling on version number "SSH-1.99-3.2.9" results in a lot of people having interconnection problems. It looks like this version might be following the RFC a bit differently. Maybe that's why Wireshark is also having trouble. Could you file a big report on bugs.wireshark.org and attach the capture file. Then it can be looked at more thoroughly as I'm not able to spend time on it now....
Cheers,
Sake