Wireshark mailing list archives
Re: TCP Retransmission question
From: Thomas Anderson <t.dt.aanderson () gmail com>
Date: Tue, 21 Jun 2011 18:50:32 +0800
What does TCP transmission string mean in wireshark? The network is configured using bridge mode, but each guest os on virtualbox has installed its own sshd. So ps -ef | grep sshd can observe that sshd is running on each virtualbox ... 00:00:00 /usr/sbin/sshd The log in wireshark is recorded today. And with the key word searching in auth.log and auth.log.1 only shows the attempting to login failure. Jun 21 15:15:25 server02 sshd[5523]: Did not receive identification string from 68.168.113.155 Jun 21 15:27:57 server02 sshd[5937]: Invalid user webmaster from 68.168.113.155 Jun 21 15:27:57 server02 sshd[5937]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=68.168.113.155 Jun 21 15:27:59 server02 sshd[5937]: Failed password for invalid user webmaster from 68.168.113.155 port 33025 ssh2 Jun 21 15:28:01 server02 sshd[5940]: Invalid user admin from 68.168.113.155 Jun 21 15:28:01 server02 sshd[5940]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=68.168.113.155 Jun 21 15:28:03 server02 sshd[5940]: Failed password for invalid user admin from 68.168.113.155 port 33304 ssh2 Jun 21 15:28:06 server02 sshd[5942]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=68.168.113.155 user=root Jun 21 15:28:08 server02 sshd[5942]: Failed password for root from 68.168.113.155 port 33514 ssh2 The TCP transmission message is observed when launching wireshark on host machine recording server02 with capture filter string `host xxx.xxx.xxx.112'. Is this the right way to monitor the completely interaction between ssh client and server? Or what is the right way to monitor the ssh interaction (client executes `ssh user@host_name` until it successfully login or returns timeout)? And which key word I can use for checking successful/unsuccessful attempts on ssh? I scroll through wireshark log, but could not figure it out well. My host is Debian wheezy/sid. All guest machines are Debian squeeze/sid with kernel 2.6.32-5-686. Version of OpenSSH_5.5p1 Debian-5+b1, and OpenSSL 0.9.8o 01 Jun 2010. Thank you for advice. I appreciate it. On Tue, Jun 21, 2011 at 5:17 PM, Shain Singh <shain.singh () gmail com> wrote:
xxx.xxx.xxx.112 68.168.113.155 SSH [TCP Retransmission] Encrypted response packet len=35 68.168.113.155 xxx.xxx.xxx.112 TCP [TCP Previous segment lost] 33514ssh [ACK] Seq=21 Ack=36 Win=5888 Len=0 TSV=3950744190 TSER=4316095 SLE=1 SRE=36 68.168.113.155 xxx.xxx.xxx.112 SSHv2 [TCP Retransmission] Client Protocol: SSH-2.0-libssh-0.1\rHaver you got SSH configured on the host computer to port forward to the servers (Are the virtual hosts in bridged or NAT mode?) - Looks to be bridged. I would have thought that this could just be someone 'trying' to brute force SSH. It doesn't necessarily mean they have been able to successfully connect from the logs above unless I am missing something. Have a scroll through you logs for successful/unsuccessful attempts on SSH. -- Shaineel Singh e: shain.singh () gmail com p: +61 422 921 951 w: http://buffet.shainsingh.com -- "Too many have dispensed with generosity to practice charity" - Albert Camus ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- TCP Retransmission question Thomas Anderson (Jun 21)
- Re: TCP Retransmission question ronnie sahlberg (Jun 21)
- Re: TCP Retransmission question Shain Singh (Jun 21)
- Re: TCP Retransmission question Thomas Anderson (Jun 21)
- Re: TCP Retransmission question Shain Singh (Jun 21)
- Re: TCP Retransmission question Andrew Hood (Jun 21)
- Re: TCP Retransmission question Anthony Murabito (Jun 21)
- Re: TCP Retransmission question Thomas Anderson (Jun 21)