LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 09-24-2005, 10:50 PM   #1
stakhous
Member
 
Registered: May 2003
Location: PA
Posts: 82

Rep: Reputation: 15
Look at all this ssh traffic!


Recently I set up a linux router which sits inbetween my internet router and my pc. Anyway, I always ssh into this linux router, RH 9, and lately tethereal has been showing millions of packets like so:

5.050038 10.51.1.123 -> 10.51.1.1 TCP 1068 > ssh [ACK] Seq=0 Ack=73152 Win=62800 Len=0
5.059895 10.51.1.1 -> 10.51.1.123 SSH Encrypted response packet len=188
5.069873 10.51.1.1 -> 10.51.1.123 SSH Encrypted response packet len=100
5.070035 10.51.1.123 -> 10.51.1.1 TCP 1068 > ssh [ACK] Seq=0 Ack=73440 Win=64240 Len=0
5.079893 10.51.1.1 -> 10.51.1.123 SSH Encrypted response packet len=188
5.089871 10.51.1.1 -> 10.51.1.123 SSH Encrypted response packet len=100
5.090031 10.51.1.123 -> 10.51.1.1 TCP 1068 > ssh [ACK] Seq=0 Ack=73728 Win=63952 Len=0
5.099893 10.51.1.1 -> 10.51.1.123 SSH Encrypted response packet len=188
5.109874 10.51.1.1 -> 10.51.1.123 SSH Encrypted response packet len=100
5.110017 10.51.1.123 -> 10.51.1.1 TCP 1068 > ssh [ACK] Seq=0 Ack=74016 Win=63664 Len=0
5.119895 10.51.1.1 -> 10.51.1.123 SSH Encrypted response packet len=188


Does anyone have any idea why this could be happening? No pub key or RSA logins are enabled on sshd, just password. Any advice would be much appreciated.

Cheers.

Stakhous
 
Old 09-24-2005, 11:50 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Maybe I'm missing something, but were you logged into server over ssh at the time?
 
Old 09-25-2005, 03:15 PM   #3
stakhous
Member
 
Registered: May 2003
Location: PA
Posts: 82

Original Poster
Rep: Reputation: 15
Yes I was, and this traffic only happens when I'm logged in through ssh. Sorry, I should have mentioned this before.
 
Old 09-25-2005, 07:14 PM   #4
stakhous
Member
 
Registered: May 2003
Location: PA
Posts: 82

Original Poster
Rep: Reputation: 15
A friend mentioned it being a botmaster. Anyone know anything about this?
 
Old 09-25-2005, 10:55 PM   #5
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
If you SSH'd into the server and ran ethereal, you'd expect to see lots of SSH traffic (i.e. you'd be seeing your own traffic). What in particular is making you think something is abnormal?
 
Old 09-26-2005, 12:24 AM   #6
stakhous
Member
 
Registered: May 2003
Location: PA
Posts: 82

Original Poster
Rep: Reputation: 15
I ssh into the linux machine, I then leave it go and that sits idle. I check the packets transferred out/in on the ssh client machine and it looks like this:

Transferred OUT: 3,165,100,230
Transferred IN : 118,000

Transferred OUT increments about 20-30 packets a second. This is only when Im sshed into the linux machine.


Seems like an a lot of uneeded traffic generated by ssh. No programs on the sshd server are supposed to be talking to programs on the ssh client.

Let me know if you need any more info.
 
Old 09-26-2005, 01:23 AM   #7
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
I think what you're seeing is just the tethereal traffic being transmitted to you over the ssh link. So when tethereal detects a ssh packet, it dumps a line of output to the terminal, which in this case is the ssh connection. The server then transmits that output over ssh to the remote ssh client. That outgoing packet is then detected by tethereal which repeats the whole process over and over again. Try running tethereal so that it dumps to a file instead of stdout (you'll also need to suppress the counter). So do something like this:
Code:
First test to see how long it takes to capture 100 packets:
tethereal  -c 100 port 22

Then send output to file and suppress packet counter: 
tethereal -q -c 100 -w testfile port 22
If takes awhile to fill, then you can be pretty sure it's just tethereal detecting it's own traffic.

Last edited by Capt_Caveman; 09-26-2005 at 01:29 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Traffic shaping (limiting outgoing bandwidth of all TCP-traffic except FTP/HTTP) ffkodd Linux - Networking 3 10-25-2008 01:09 AM
how to find http traffic and mail traffic alone? basbosco Linux - General 1 06-07-2005 11:29 PM
Tunnel all internet traffic through a ssh connected remote computer Bateman Linux - Networking 12 12-10-2004 06:53 AM
Wireless traffic stomps isdn traffic on gateway machine Radix999 Linux - Wireless Networking 0 11-14-2003 01:54 AM
Can't ping/ssh my box, Shorewall seems to block all traffic except http / ftp tiduck Linux - Networking 10 05-22-2003 10:21 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 08:55 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration