Wireshark-users: [Wireshark-users] SSH Session Captures filled with [TCP segment of a reassembled

From: Harrison Neal <hantwister@xxxxxxxxxxx>
Date: Tue, 27 Jul 2010 15:17:06 -0500
Hi all,

I'm currently working on a project where we're using tshark to capture
the traffic of SSH Sessions. After the SSH handshake, we'd typically see
messages to the effect of "Encrypted request/response packet", however,
in several of the sessions captured recently, we noticed that the
handshake contained a message "Client: Ignore[Malformed Packet]", and
following the handshake all the packets had the message "[TCP segment of
a reassembled PDU]" rather than "Encrypted request/response packet".

Looking up the message "TCP segment of a reassembled PDU", if I
understand comments by other users correctly, it seems like the SSH
dissector is looking at the packets, believes them to be an incomplete
"chunk" of data, and is waiting for more packets to arrive to eventually
"complete" that specific chunk so it can dissect the final message. That
final "completed" message never fully arrives, though.

I'm looking to understand why this is happening, both the message about
a packet in the handshake being malformed, and the subsequent "[TCP
segment of a reassembled PDU]" messages.

We run tshark as root like this:

tshark -o column.format:'"Connection", "%Cus:tcp.stream", "Time", "%t",
"Source", "%s", "S_port", "%uS", "Destination", "%d", "D_port", "%uD",
"Protocol", "%p", "tcp.seq", "%Cus:tcp.seq", "tcp.ack", "%Cus:tcp.ack",
"tcp.flags", "%Cus:tcp.flags", "tcp.len", "%Cus:tcp.len", "Info", "%i"'
-n -l -f tcp -i eth0 -w /root/owned/folder/test.pcap -S

The file it produced can be downloaded here if it helps:

http://home.comcast.net/~hantwister/failedTest.pcap

Specifically, the SSH sessions that are problematic can be seen with:
tcp.stream eq 5
tcp.stream eq 7
tcp.stream eq 18
tcp.stream eq 25

The machine it ran on was a Dell laptop with 1GB of RAM and a Core 2 Duo
2GHz processor.

Any ideas?

Thanks in advance, -Harrison Neal