Analysis of SSH connection using Wireshark

Using Wireshark to analyze an SSH connection

Table Of Content

• Introduction
• Wireshark setup
• SSH server setup
• SSH Connect
• Packet Analysis
• Conclusion

Introduction

Wireshark is a packet analyzer to monitor the incoming and outgoing of packet transmission of a computer. I have already made a blog about Wireshark click this link.

OpenSSH is a tool that provide encrypted communication between computers over an unsecured network. I also have a blog on OpenSSH and the post-quantum cryptography too. Click this link.

The installation steps to both Wireshark and OpenSSH are available on the blog.

In this blog, I am going to analyze the packet transmission between 2 computers in an SSH connection.

I am going to use 2 laptops. On laptop runs Ubuntu Linux 22.04 and the other I am running Kali Linux in a VirtualBox VM on windows 11. Ubuntu is the host machine and Kali is the client machine.

Lets setup Wireshark on both Linux.

sudo wireshark

This will launch Wireshark.

Then enter the Wi-Fi packet capture. Since my Ubuntu machine is connected to Wi-Fi. If you are using Ethernet cable, then choose the Ethernet packet capture.

It should then look like this:

Wi-Fi capture window

The capture should start automatically.

Lets starts the SSH server in Ubuntu

sudo service start ssh

To check if the SSH is working properly use the command

sudo service status ssh

Start OpenSSH server

Lets get the IP of the host machine using

ip a

Connect the machine

Then on our Kali, connect to the host

ssh <login username>@<IP of host machine>

Connect to server

After the connection is made, play with the console like some simple commands like:

• change directory cd
• list directory ls
• print current working directory pwd

After a d few commands, it should have capture enough packets. Lets end the SSH connections.

exit

Packet Analysis

We can stop capturing packets now. The packets captured will not only have SSH but have other packets like packets for web browsers, apps, or other stuff. To have only the SSH packets, I will apply a packer filter. SSH has a specific default port 22, we can filter out using said port. 

using tcp.port == 22 OR tcp.port eq 22. The eq means equal.

Add filter

After applying the filter, we can notice that the amount of packet in the list decreases, leaving us with only packets with port 22.

Filter applied

Here in this picture, we can see the key exchange initialization from the server and the client. If we open the packet detail, we can see under key exchange, the kex_algorithms string, there is sntrup761x25519-sha512@openssh.com. It is the NTRU Prime algorithm that is being used to encrypt the packets. As stated in my previous blog, NTRU Prime is a candidate for post quantum encryption algorithm. Read mu article about it here. 

The method of key exchanged used is Diffie-Hellman key exchange algorithm

Diffie-Hellman Key Exchange Algorithm

DH (Diffie-Hellman) Key Exchange is a method of key exchange protocol between 2 machine communicating over a public network. It uses symmetric cryptography.

Conclusion

This little experiment was very interesting. This should be the basic use of Wireshark. Wireshark is much more complex than this. But not to be scared, above in the I have linked to a deep-dive in Wireshark playlist here.