Re: TCP Retransmission question

[Shain Singh <shain.singh () gmail com>]

> What does TCP transmission string  mean in wireshark?
Here is a good link to read up on a little bit about TCP retransmits (which
are not exactly a bad thing):
http://thenetworkguy.typepad.com/nau/2008/03/a-tale-of-five.html
Having a LOT of retransmits can be due a a number of reasons and most
troubleshooting usually starts occurring from looking at the network.



> Jun 21 15:15:25 server02 sshd[5523]: Did not receive identification
> string from 68.168.113.155
> Jun 21 15:27:57 server02 sshd[5937]: Invalid user webmaster from
> 68.168.113.155
> Jun 21 15:27:57 server02 sshd[5937]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=68.168.113.155
> Jun 21 15:27:59 server02 sshd[5937]: Failed password for invalid user
> webmaster from 68.168.113.155 port 33025 ssh2
> Jun 21 15:28:01 server02 sshd[5940]: Invalid user admin from 68.168.113.155
> Jun 21 15:28:01 server02 sshd[5940]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=68.168.113.155
> Jun 21 15:28:03 server02 sshd[5940]: Failed password for invalid user
> admin from 68.168.113.155 port 33304 ssh2
> Jun 21 15:28:06 server02 sshd[5942]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=68.168.113.155  user=root
> Jun 21 15:28:08 server02 sshd[5942]: Failed password for root from
> 68.168.113.155 port 33514 ssh2
Ok, so all the above is showing is that the IP 68.168.113.155 is trying a
dictionary based attack of usernames against your publicly accessible SSH
server on 'server02'.



> The TCP transmission message is observed when launching wireshark on
> host machine recording server02 with capture filter string `host
> xxx.xxx.xxx.112'.
I would probably hazard a guess that if you are getting multiple retransmits
between the outside world (68.168.113.155 in this case) then at a guess
either side of the connection is more than likely on a wireless LAN. This is
just a guess however and there can be other reasons for this.



> Is this the right way to monitor the completely interaction between
> ssh client and server? Or what is the right way to monitor the ssh
> interaction (client executes `ssh user@host_name` until it
> successfully login or returns timeout)?

If you have setup 'server01' to be your SSH client and 'server02' to be your
SSH server then a filter like:

(ip.src==x.x.x.111 and ip.dst == x.x.x.112) or (ip.src==x.x.x.112 and
ip.dst==x.x.x.111)

will show you traffic originating from either end.


> And which key word I can use for checking successful/unsuccessful
> attempts on ssh? I scroll through wireshark log, but could not figure
> it out well.
Checking successful/unsuccessful logins is best via your logs. In order to
see a successful connection in Wireshark, you would have to see a lot of
back and forth traffic with the same random high port back to your
'server02' on port 22.



-- 
Shaineel Singh
e: shain.singh () gmail com
p: +61 422 921 951
w: http://buffet.shainsingh.com

--
"Too many have dispensed with generosity to practice charity" - Albert Camus

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe