On Tue, Jun 21, 2011 at 5:46 PM, Thomas Anderson
<t.dt.aanderson@xxxxxxxxx> wrote:
> I have two virtual machines running on virtualbox whose os is debian.
> Currently my connection using ssh from A(xxx.xxx.xxx.111) to
> B(xxx.xxx.xxx.112) sometimes suffers the connection timeout. So I use
> wireshark (with filter `host xxx.xxx.xxx.112') to check the underlying
> network packets and notice sometimes it seems the ssh will do TCP
> retransmission as below:
>
> xxx.xxx.xxx.112 68.168.113.155 SSH [TCP Retransmission] Encrypted
> response packet len=35
> 68.168.113.155 xxx.xxx.xxx.112 TCP [TCP Previous segment lost] 33514 >
> ssh [ACK] Seq=21 Ack=36 Win=5888 Len=0 TSV=3950744190 TSER=4316095
> SLE=1 SRE=36
> 68.168.113.155 xxx.xxx.xxx.112 SSHv2 [TCP Retransmission] Client
> Protocol: SSH-2.0-libssh-0.1\r
>
> However, the ip address started with 68 is not any machine I know of.
> Does it mean my ssh may be compromised? Or what key word I can filter
> to find out the root cause (that ssh connection timeout)?
Doesnt look good.
Someone has established a live SSH connection to your box.
Probably not good at all.
>
> Thanks.
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>