Wireshark-users: Re: [Wireshark-users] TCP Retransmission question

From: Thomas Anderson <t.dt.aanderson@xxxxxxxxx>
Date: Tue, 21 Jun 2011 18:50:32 +0800
What does TCP transmission string  mean in wireshark?

The network is configured using bridge mode, but each guest os on
virtualbox has installed its own sshd. So ps -ef | grep sshd can
observe that sshd is running on each virtualbox

 ...  00:00:00 /usr/sbin/sshd

The log in wireshark is recorded today. And with the key word
searching in auth.log and auth.log.1 only shows the attempting to
login failure.

Jun 21 15:15:25 server02 sshd[5523]: Did not receive identification
string from 68.168.113.155
Jun 21 15:27:57 server02 sshd[5937]: Invalid user webmaster from 68.168.113.155
Jun 21 15:27:57 server02 sshd[5937]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=68.168.113.155
Jun 21 15:27:59 server02 sshd[5937]: Failed password for invalid user
webmaster from 68.168.113.155 port 33025 ssh2
Jun 21 15:28:01 server02 sshd[5940]: Invalid user admin from 68.168.113.155
Jun 21 15:28:01 server02 sshd[5940]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=68.168.113.155
Jun 21 15:28:03 server02 sshd[5940]: Failed password for invalid user
admin from 68.168.113.155 port 33304 ssh2
Jun 21 15:28:06 server02 sshd[5942]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=68.168.113.155  user=root
Jun 21 15:28:08 server02 sshd[5942]: Failed password for root from
68.168.113.155 port 33514 ssh2

The TCP transmission message is observed when launching wireshark on
host machine recording server02 with capture filter string `host
xxx.xxx.xxx.112'.

Is this the right way to monitor the completely interaction between
ssh client and server? Or what is the right way to monitor the ssh
interaction (client executes `ssh user@host_name` until it
successfully login or returns timeout)?

And which key word I can use for checking successful/unsuccessful
attempts on ssh? I scroll through wireshark log, but could not figure
it out well.

My host is Debian wheezy/sid.
All guest machines  are Debian squeeze/sid with kernel 2.6.32-5-686.
Version of OpenSSH_5.5p1 Debian-5+b1, and OpenSSL 0.9.8o 01 Jun 2010.

Thank you for advice. I appreciate it.

On Tue, Jun 21, 2011 at 5:17 PM, Shain Singh <shain.singh@xxxxxxxxx> wrote:
>> xxx.xxx.xxx.112 68.168.113.155  SSH     [TCP Retransmission] Encrypted
>> response packet len=35
>> 68.168.113.155  xxx.xxx.xxx.112 TCP     [TCP Previous segment lost] 33514
>> >
>> ssh [ACK] Seq=21 Ack=36 Win=5888 Len=0 TSV=3950744190 TSER=4316095
>> SLE=1 SRE=36
>> 68.168.113.155  xxx.xxx.xxx.112 SSHv2   [TCP Retransmission] Client
>> Protocol: SSH-2.0-libssh-0.1\r
>>
>
> Haver you got SSH configured on the host computer to port forward to the
> servers (Are the virtual hosts in bridged or NAT mode?) - Looks to be
> bridged.
> I would have thought that this could just be someone 'trying' to brute force
> SSH. It doesn't necessarily mean they have been able to successfully connect
> from the logs above unless I am missing something.
> Have a scroll through you logs for successful/unsuccessful attempts on SSH.
>
> --
> Shaineel Singh
> e: shain.singh@xxxxxxxxx
> p: +61 422 921 951
> w: http://buffet.shainsingh.com
>
> --
> "Too many have dispensed with generosity to practice charity" - Albert Camus
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>