Wireshark mailing list archives

SSH Session Captures filled with [TCP segment of a reassembled PDU]

From: Harrison Neal <hantwister () comcast net>
Date: Tue, 27 Jul 2010 15:17:06 -0500

Hi all,

I'm currently working on a project where we're using tshark to capture
the traffic of SSH Sessions. After the SSH handshake, we'd typically see
messages to the effect of "Encrypted request/response packet", however,
in several of the sessions captured recently, we noticed that the
handshake contained a message "Client: Ignore[Malformed Packet]", and
following the handshake all the packets had the message "[TCP segment of
a reassembled PDU]" rather than "Encrypted request/response packet".

Looking up the message "TCP segment of a reassembled PDU", if I
understand comments by other users correctly, it seems like the SSH
dissector is looking at the packets, believes them to be an incomplete
"chunk" of data, and is waiting for more packets to arrive to eventually
"complete" that specific chunk so it can dissect the final message. That
final "completed" message never fully arrives, though.

I'm looking to understand why this is happening, both the message about
a packet in the handshake being malformed, and the subsequent "[TCP
segment of a reassembled PDU]" messages.

We run tshark as root like this:

tshark -o column.format:'"Connection", "%Cus:tcp.stream", "Time", "%t",
"Source", "%s", "S_port", "%uS", "Destination", "%d", "D_port", "%uD",
"Protocol", "%p", "tcp.seq", "%Cus:tcp.seq", "tcp.ack", "%Cus:tcp.ack",
"tcp.flags", "%Cus:tcp.flags", "tcp.len", "%Cus:tcp.len", "Info", "%i"'
-n -l -f tcp -i eth0 -w /root/owned/folder/test.pcap -S

The file it produced can be downloaded here if it helps:

http://home.comcast.net/~hantwister/failedTest.pcap

Specifically, the SSH sessions that are problematic can be seen with:
tcp.stream eq 5
tcp.stream eq 7
tcp.stream eq 18
tcp.stream eq 25

The machine it ran on was a Dell laptop with 1GB of RAM and a Core 2 Duo
2GHz processor.

Any ideas?

Thanks in advance, -Harrison Neal

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

SSH Session Captures filled with [TCP segment of a reassembled PDU] Harrison Neal (Jul 27)
- Re: SSH Session Captures filled with [TCP segment of a reassembled PDU] Sake Blok (Jul 27)