Re: SSH Session Captures filled with [TCP segment of a reassembled PDU]

[Sake Blok <sake () euronet nl>]

On 27 jul 2010, at 22:17, Harrison Neal wrote:

> I'm looking to understand why this is happening, both the message about
> a packet in the handshake being malformed, and the subsequent "[TCP
> segment of a reassembled PDU]" messages.
> [...]
> Specifically, the SSH sessions that are problematic can be seen with:
> tcp.stream eq 5
> tcp.stream eq 7
> tcp.stream eq 18
> tcp.stream eq 25

All those SSH sessions (as well as the one in tcp stream 4) use a SSHv2 server and a SSHv1.99 client. Somehow wireshark 
is not able to dissect these sessions correctly. Googling on version number "SSH-1.99-3.2.9" results in a lot of people 
having interconnection problems. It looks like this version might be following the RFC a bit differently. Maybe that's 
why Wireshark is also having trouble. Could you file a big report on bugs.wireshark.org and attach the capture file. 
Then it can be looked at more thoroughly as I'm not able to spend time on it now....

Cheers,


Sake

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe