SSH: Secure Shell

encrypted layer 7 SSH

Introduction

This tutorial discusses the plugin sshDecode. It extracts certain tokens including the hashes. Yes, it is encrypted, but you can still learn a lot, helping you when proceeding with Encrypted Traffic Mining.

Preparation

First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:

t2build -e -y

Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied

Then compile the core (tranalyzer2) and the following plugins:

t2build tranalyzer2 basicFlow tcpStates sshDecode txtSink

...
BUILD SUCCESSFUL

If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:

mkdir ~/data ~/results

The sample PCAP used in this tutorial can be downloaded here: ssh_succ.pcap.

Please save it in your ~/data folder.

Now you are all set for analyzing SSH traffic!

sshDecode

Let’s look at the plugin configuration first:

sshDecode

vi src/sshDecode.h

You can configure the operations of the plugin how it should detect or decode SSH and how the hashes should be coded. We leave everything as default.

...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */

#define SSH_USE_PORT         0 // Count all packets to/from SSH_PORT as SSH
#define SSH_DECODE           2 // 0: Do not decode SSH handshake messages
                               // 1: Only decode SSH Key Exchange Init messages
                               // 2: Decode all SSH Exchange messages
#define SSH_FINGERPRINT      1 // Algorithm to use for the fingerprint (require SSH_DECODE == 2)
                               // 0: no fingerprint, 1: MD5, 2: SHA256
#define SSH_ALGO             1 // Output chosen algorithms
#define SSH_LISTS            0 // Output lists of supported algorithms
#define SSH_HASSH            1 // Output HASSH fingerprint (hash and description)
#define SSH_HASSH_STR        0 // Also output HASSH fingerprint before hashing
#define SSH_HASSH_DLEN     512 // Max length for HASSH descriptions
#define SSH_HASSH_STR_LEN 1024 // Max length for uncompressed HASSH signatures

#define SSH_BUF_SIZE 512 // Buffer size for strings
#define SSH_HKT_SIZE  48 // Host Key Type

#define SSH_DEBUG      0 // Activate debug output

/* +++++++++++++++++++++ ENV / RUNTIME - conf Variables +++++++++++++++++++++ */

#define SSH_HASSH_NAME "hassh_fingerprints.tsv" // Name of the HASSH database

/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...

Now run t2 on the supplied pcap.

t2 -r ~/test_data/data/ssh_succ.pcap -w ~/results/ -s

================================================================================
Tranalyzer 0.9.4 (Anteater), Cobra. PID: 34204, Prio: 0, SID: 666
================================================================================
Date: 1752082662.000027170 sec (Wed 09 Jul 2025 19:37:42 CEST)
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.9.4
    02: tcpStates, 0.9.4
    03: sshDecode, 0.9.4
    04: txtSink, 0.9.4
[INF] IPv4 Ver: 6, Rev: 02072025, Range Mode: 0, subnet ranges loaded: 7238027 (7.24 M)
[INF] IPv6 Ver: 6, Rev: 02072025, Range Mode: 0, subnet ranges loaded: 1419153 (1.42 M)
[INF] sshDecode: 49 HASSH fingerprints loaded
Processing file: /home/user/data/ssh_succ.pcap
Link layer type: Ethernet [EN10MB/1]
Snapshot length: 262144 (262.14 K)
Dump start: 1450627994.669582000 sec (Sun 20 Dec 2015 16:13:14 GMT)
Dump stop : 1450628048.881344000 sec (Sun 20 Dec 2015 16:14:08 GMT)
Total dump duration: 54.211762000 sec
Finished processing. Elapsed time: 0.043729381 sec
Finished unloading flow memory. Time: 0.044073968 sec
Percentage completed: 100.00%
Number of processed packets: 625
Number of processed bytes: 88924 (88.92 K)
Number of raw bytes: 88924 (88.92 K)
Number of pad bytes: 610
Number of pcap bytes: 98948 (98.95 K)
Number of L2 packets: 44 [7.04%]
Number of IPv4 packets: 542 [86.72%]
Number of IPv6 packets: 39 [6.24%]
Number of A packets: 470 [75.20%]
Number of B packets: 155 [24.80%]
Number of A bytes: 58218 (58.22 K) [65.47%]
Number of B bytes: 30706 (30.71 K) [34.53%]
<A packet load>: 123.87
<B packet load>: 198.10
--------------------------------------------------------------------------------
tcpStates: Aggregated tcpStatesAFlags=0x02
sshDecode: Aggregated sshStat=0x103b
sshDecode: Number of SSH flows: 8 [9.30%]
--------------------------------------------------------------------------------
Headers count: min: 2, max: 4, avg: 3.03
Number of LLC packets: 27 [4.32%]
Number of ARP packets: 15 [2.40%]
Number of IGMP packets: 10 [1.60%]
Number of ICMPv6 packets: 18 [2.88%]
Number of TCP packets: 365 [58.40%]
Number of TCP bytes: 59122 (59.12 K) [66.49%]
Number of UDP packets: 166 [26.56%]
Number of UDP bytes: 22408 (22.41 K) [25.20%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed      flows: 86
Number of processed L2   flows: 5 [5.81%]
Number of processed IPv4 flows: 64 [74.42%]
Number of processed IPv6 flows: 17 [19.77%]
Number of processed A    flows: 82 [95.35%]
Number of processed B    flows: 4 [4.65%]
Number of request        flows: 82 [95.35%]
Number of reply          flows: 4 [4.65%]
Total   A/B    flow asymmetry: 0.91
Total req/rply flow asymmetry: 0.91
Number of processed A+B packets/A+B flows: 7.27
Number of processed A   packets/A   flows: 5.73
Number of processed   B packets/  B flows: 38.75
Number of processed total packets/s: 11.53
Number of processed A+B   packets/s: 11.53
Number of processed A     packets/s: 8.67
Number of processed   B   packets/s: 2.86
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<Number of processed flows/s>: 1.59
<Bandwidth>: 12620 b/s (12.62 Kb/s)
<Raw bandwidth>: 13122 b/s (13.12 Kb/s)
Max number of flows in memory: 86 [0.03%]
Memory usage: 0.02 GB [0.03%]
Aggregated flowStat=0x0c0000000200c064
[INF] Layer 2 flows
[INF] IPv4 flows
[INF] IPv6 flows
[INF] ARP
[INF] LLDP
[INF] SSDP/UPnP

So we have eight flows and the aggregated sshStat tells us that there is a Diffie-Hellman involved.

tawk -V sshStat=0x103b

The sshStat column with value 0x103b is to be interpreted as follows:

   bit | sshStat | Description
   =============================================================================
     0 | 0x0001  | Flow contains SSH protocol
     1 | 0x0002  | Keeps track of who sent the SSH banner first
     3 | 0x0008  | Key Exchange Init message seen
     4 | 0x0010  | Diffie-Hellman Key Exchange Init message seen
     5 | 0x0020  | Diffie-Hellman Key Exchange Reply message seen
    12 | 0x1000  | New Keys message seen

If we select the SSH flows we learn that OpenSSH 6.0 / 7.1 is involved.

tawk 'bitsanyset($sshStat, 0x0001)' ~/results/ssh_succ_flows.txt | tcol

%dir  flowInd  flowStat            timeFirst             timeLast              duration      numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  vlanID  srcIP        srcIPCC  srcIPOrg            srcPort  dstIP        dstIPCC  dstIPOrg            dstPort  l4Proto  tcpStatesAFlags  sshStat  sshVersion                               sshHostKeyType       sshFingerprint                                   sshCookie                         sshKEX              sshSrvHKeyAlgo  sshEncCS    sshEncSC    sshMacCS  sshMacSC  sshCompCS  sshCompSC  sshLangCS  sshLangSC  sshHassh                          sshHasshDesc
A     26       0x0400000000004000  1450628004.529458000  1450628016.088016000  11.558558000  1           3        eth:ipv4:tcp  e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800           10.20.6.233  04       "!Private network"  37332    10.20.0.171  04       "!Private network"  22       6        0x02             0x101b   "SSH-2.0-OpenSSH_7.1"                                                                                          e97458497c02f134bcadf82e24888724  ecdh-sha2-nistp256  ssh-rsa         aes128-ctr  aes128-ctr  hmac-md5                                                        de75d6191ba48aa3b1ea4577b1604dfb  
B     26       0x0400000000004001  1450628004.529832000  1450628016.087998000  11.558166000  1           3        eth:ipv4:tcp  90:e2:ba:0c:39:84  e0:3f:49:7e:59:79  0x0800           10.20.0.171  04       "!Private network"  22       10.20.6.233  04       "!Private network"  37332    6        0x02             0x0029   "SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2"  ecdsa-sha2-nistp256  e6:fc:f1:4c:1f:0c:eb:ec:32:1d:7c:83:90:ae:07:70  0cb234edd1fc4624fef696ed213c615b                                                                                                                              ce3c327f37ea2ec21f317fbc3fd1ea43  
A     55       0x0400000000004000  1450628020.480513000  1450628028.810340000  8.329827000   1           3        eth:ipv4:tcp  e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800           10.20.6.233  04       "!Private network"  37334    10.20.0.171  04       "!Private network"  22       6        0x02             0x101b   "SSH-2.0-OpenSSH_7.1"                                                                                          b46519eb5e83864a379628a9ce5dd9b6  ecdh-sha2-nistp256  ssh-rsa         aes128-ctr  aes128-ctr  hmac-md5                                                        de75d6191ba48aa3b1ea4577b1604dfb  
B     55       0x0400000000004001  1450628020.480748000  1450628028.810304000  8.329556000   1           3        eth:ipv4:tcp  90:e2:ba:0c:39:84  e0:3f:49:7e:59:79  0x0800           10.20.0.171  04       "!Private network"  22       10.20.6.233  04       "!Private network"  37334    6        0x02             0x0029   "SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2"  ecdsa-sha2-nistp256  e6:fc:f1:4c:1f:0c:eb:ec:32:1d:7c:83:90:ae:07:70  3f06443da53fc7bda8c79616b8b70455                                                                                                                              ce3c327f37ea2ec21f317fbc3fd1ea43  
A     66       0x0400000000004000  1450628031.531563000  1450628040.205273000  8.673710000   1           3        eth:ipv4:tcp  e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800           10.20.6.233  04       "!Private network"  37336    10.20.0.171  04       "!Private network"  22       6        0x02             0x101b   "SSH-2.0-OpenSSH_7.1"                                                                                          f8960a89ec0a725f247b17164cbb5639  ecdh-sha2-nistp256  ssh-rsa         aes128-ctr  aes128-ctr  hmac-md5                                                        de75d6191ba48aa3b1ea4577b1604dfb  
B     66       0x0400000000004001  1450628031.531825000  1450628040.205236000  8.673411000   1           3        eth:ipv4:tcp  90:e2:ba:0c:39:84  e0:3f:49:7e:59:79  0x0800           10.20.0.171  04       "!Private network"  22       10.20.6.233  04       "!Private network"  37336    6        0x02             0x0029   "SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2"  ecdsa-sha2-nistp256  e6:fc:f1:4c:1f:0c:eb:ec:32:1d:7c:83:90:ae:07:70  f05ae7bcdd283d561f2e588e3fd48f62                                                                                                                              ce3c327f37ea2ec21f317fbc3fd1ea43  
A     76       0x0400000000004000  1450628041.583747000  1450628047.913554000  6.329807000   1           3        eth:ipv4:tcp  e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800           10.20.6.233  04       "!Private network"  37338    10.20.0.171  04       "!Private network"  22       6        0x02             0x101b   "SSH-2.0-OpenSSH_7.1"                                                                                          d4538ff7ed01147ab232886ff6ae8c47  ecdh-sha2-nistp256  ssh-rsa         aes128-ctr  aes128-ctr  hmac-md5                                                        de75d6191ba48aa3b1ea4577b1604dfb  
B     76       0x0400000000004001  1450628041.583991000  1450628047.913518000  6.329527000   1           3        eth:ipv4:tcp  90:e2:ba:0c:39:84  e0:3f:49:7e:59:79  0x0800           10.20.0.171  04       "!Private network"  22       10.20.6.233  04       "!Private network"  37338    6        0x02             0x0029   "SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2"  ecdsa-sha2-nistp256  e6:fc:f1:4c:1f:0c:eb:ec:32:1d:7c:83:90:ae:07:70  eb2a508b905c141d31d4fd4182f2bc1d                                                                                                                              ce3c327f37ea2ec21f317fbc3fd1ea43  

In the packet file all the SSH flows show in the l7Content the detailed information of the packet.

tawk 'bitsanyset($sshStat, 0x0001)' ~/results/ssh_succ_packets.txt | tail -n 67 | tcol

%pktNo  flowInd  flowStat            time                  pktIAT       pktTrip      flowDuration  numHdrs  hdrDesc       vlanID  srcMac             dstMac             ethType  srcIP        srcIPCC  srcIPOrg          srcPort  dstIP        dstIPCC  dstIPOrg          dstPort  l4Proto  tcpStatesAFlags  sshStat  l7Content
67      26       0x0400000000004000  1450628004.530052000  0.000192000  0.000220000  0.000594000   3        eth:ipv4:tcp          e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800   10.20.6.233  04       !Private network  37332    10.20.0.171  04       !Private network  22       6        0x00             0x0003   SSH-2.0-OpenSSH_7.1\r\n
69      26       0x0400000000004001  1450628004.537638000  0.007434000  0.007586016  0.007806000   3        eth:ipv4:tcp          90:e2:ba:0c:39:84  e0:3f:49:7e:59:79  0x0800   10.20.0.171  04       !Private network  22       10.20.6.233  04       !Private network  37332    6        0x00             0x0001   SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2\r\n
70      26       0x0400000000004000  1450628004.537710000  0.007658000  0.000072000  0.008252000   3        eth:ipv4:tcp          e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800   10.20.6.233  04       !Private network  37332    10.20.0.171  04       !Private network  22       6        0x00             0x0003   
71      26       0x0400000000004000  1450628004.538022000  0.000312000  0.000384000  0.008564000   3        eth:ipv4:tcp          e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800   10.20.6.233  04       !Private network  37332    10.20.0.171  04       !Private network  22       6        0x00             0x000b   ...4\n..tXI|..4....$..$....curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1...\becdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa....chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se....chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se....umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96....umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-s
72      26       0x0400000000004000  1450628004.538192000  0.000170000  0.000553984  0.008734000   3        eth:ipv4:tcp          e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800   10.20.6.233  04       !Private network  37332    10.20.0.171  04       !Private network  22       6        0x00             0x000b   ha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96....none,zlib@openssh.com,zlib....none,zlib@openssh.com,zlib.......................
73      26       0x0400000000004001  1450628004.538581000  0.000943000  0.000388992  0.008749000   3        eth:ipv4:tcp          90:e2:ba:0c:39:84  e0:3f:49:7e:59:79  0x0800   10.20.0.171  04       !Private network  22       10.20.6.233  04       !Private network  37332    6        0x00             0x0009   ....\t.\f.4...F$....!<a[....ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1...#ssh-rsa,ssh-dss,ecdsa-sha2-nistp256....aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se....aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se....hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96....hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96....none,zlib@openssh.com....none,zlib@openssh.com......................
74      26       0x0400000000004000  1450628004.576643000  0.038451000  0.038062016  0.047185000   3        eth:ipv4:tcp          e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800   10.20.6.233  04       !Private network  37332    10.20.0.171  04       !Private network  22       6        0x00             0x000b   
75      26       0x0400000000004001  1450628004.576877000  0.038296000  0.000233984  0.047045000   3        eth:ipv4:tcp          90:e2:ba:0c:39:84  e0:3f:49:7e:59:79  0x0800   10.20.0.171  04       !Private network  22       10.20.6.233  04       !Private network  37332    6        0x00             0x0009   
76      26       0x0400000000004000  1450628004.576893000  0.000250000  0.000016000  0.047435000   3        eth:ipv4:tcp          e0:3f:49:7e:59:79  00:00:5e:00:01:11  0x0800   10.20.6.233  04       !Private network  37332    10.20.0.171  04       !Private network  22       6        0x00             0x001b   ...L.....A.\b.[."..I.:."@W...?..k@..C).I.&...Q.z_9<..^...eZ...........Y...g......
77      26       0x0400000000004001  1450628004.579220000  0.002343000  0.002326976  0.049388000   3        eth:ipv4:tcp          90:e2:ba:0c:39:84  e0:3f:49:7e:59:79  0x0800   10.20.0.171  04       !Private network  22       10.20.6.233  04       !Private network  37332    6        0x00             0x0029   ...$\b....h....ecdsa-sha2-nistp256...\bnistp256...A.n...z.\v..+4.3....H.A..b.!^._.8Rjl.n...TF..@.ZK....e0.i......^.m....A.y|.\v..{.b\b;.3f~S.Z9D.".\\.\f0A-7.zn+%63.l..^....c.}..s..g.\b.g........e....ecdsa-sha2-nistp256...J...!...[...J.....<....\r;B..!............!..2.yH.{.wVW...y..65.;..?...3dz.............\f\n...........
...

Conclusion

Don’t forget to reset the plugin configuration for the next tutorial.

t2conf sshDecode --reset && t2build sshDecode

Have fun analyzing.