Wireshark mailing list archives
Re: TCP Retransmission question
From: Shain Singh <shain.singh () gmail com>
Date: Tue, 21 Jun 2011 21:55:37 +1000
What does TCP transmission string mean in wireshark?
Here is a good link to read up on a little bit about TCP retransmits (which are not exactly a bad thing): http://thenetworkguy.typepad.com/nau/2008/03/a-tale-of-five.html Having a LOT of retransmits can be due a a number of reasons and most troubleshooting usually starts occurring from looking at the network.
Jun 21 15:15:25 server02 sshd[5523]: Did not receive identification string from 68.168.113.155 Jun 21 15:27:57 server02 sshd[5937]: Invalid user webmaster from 68.168.113.155 Jun 21 15:27:57 server02 sshd[5937]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=68.168.113.155 Jun 21 15:27:59 server02 sshd[5937]: Failed password for invalid user webmaster from 68.168.113.155 port 33025 ssh2 Jun 21 15:28:01 server02 sshd[5940]: Invalid user admin from 68.168.113.155 Jun 21 15:28:01 server02 sshd[5940]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=68.168.113.155 Jun 21 15:28:03 server02 sshd[5940]: Failed password for invalid user admin from 68.168.113.155 port 33304 ssh2 Jun 21 15:28:06 server02 sshd[5942]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=68.168.113.155 user=root Jun 21 15:28:08 server02 sshd[5942]: Failed password for root from 68.168.113.155 port 33514 ssh2
Ok, so all the above is showing is that the IP 68.168.113.155 is trying a dictionary based attack of usernames against your publicly accessible SSH server on 'server02'.
The TCP transmission message is observed when launching wireshark on host machine recording server02 with capture filter string `host xxx.xxx.xxx.112'.
I would probably hazard a guess that if you are getting multiple retransmits between the outside world (68.168.113.155 in this case) then at a guess either side of the connection is more than likely on a wireless LAN. This is just a guess however and there can be other reasons for this.
Is this the right way to monitor the completely interaction between ssh client and server? Or what is the right way to monitor the ssh interaction (client executes `ssh user@host_name` until it successfully login or returns timeout)?
If you have setup 'server01' to be your SSH client and 'server02' to be your SSH server then a filter like: (ip.src==x.x.x.111 and ip.dst == x.x.x.112) or (ip.src==x.x.x.112 and ip.dst==x.x.x.111) will show you traffic originating from either end.
And which key word I can use for checking successful/unsuccessful attempts on ssh? I scroll through wireshark log, but could not figure it out well.
Checking successful/unsuccessful logins is best via your logs. In order to see a successful connection in Wireshark, you would have to see a lot of back and forth traffic with the same random high port back to your 'server02' on port 22. -- Shaineel Singh e: shain.singh () gmail com p: +61 422 921 951 w: http://buffet.shainsingh.com -- "Too many have dispensed with generosity to practice charity" - Albert Camus
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- TCP Retransmission question Thomas Anderson (Jun 21)
- Re: TCP Retransmission question ronnie sahlberg (Jun 21)
- Re: TCP Retransmission question Shain Singh (Jun 21)
- Re: TCP Retransmission question Thomas Anderson (Jun 21)
- Re: TCP Retransmission question Shain Singh (Jun 21)
- Re: TCP Retransmission question Andrew Hood (Jun 21)
- Re: TCP Retransmission question Anthony Murabito (Jun 21)
- Re: TCP Retransmission question Thomas Anderson (Jun 21)