← Back Published on

Capturing SSH Traffic

In this article, we will be capturing ssh traffic on a Linux server using nmap, tcpdump, and Wireshark! Let us dive in!

Hello, we have a target. Specifically, it is a server we want to look at. usually looking at traffic on a server would be to see unencrypted traffic, or to see if the packets being sent are secure or not. In this case scenario, we are simply looking to see If ssh otherwise known as port 22 traffic is active. 

We will be using a Linux-based os to run a terminal with a Linux-based server.

We obtained the IP and we will start our initial scan. We can forward this scan report into a file if needed, for this case scenario let us just get an initial scan. No special commands for this nmap scan.

As listed above, we can see we have open ports! lets look at port 22 (ssh) secure shell 

Let's run a tcpdump command and save our traffic into a file labeled ssh.txt. The command will look like this

Sudo tcpdump -i eth0 -vv dst 10.1.16.12 and port ssh -w ssh.txt

We are telling the scan to use ethernet 0 to do a full capture on 10.1.16.12 while also displaying ssh traffic from port 22

Since this is a SSH secure shell connection we will be using the terminal to do a ssh connection to the server itself. The server is named LAMP10. The command will look like this

ssh lamp@10.1.16.12

With an ssh connection established, we get a lot of information displayed. It is a popular admin protocol that is used to connect to unix-based network appliances and Linux servers.

This is smart because the ssh connection is encrypted.

We are now displayed as a user in this terminal. Allowing us to have more privileges.

With all that we did on port 22. We made some noise. Lets check back in to our tcp dump that was running

We have some traffic that we captured! So, let us end the capture and confirm that our ssh.txt file is present and accounted for!

We can either open this file in the terminal or we can use a platform such as Wireshark. Let's do wireshark as it is more user-friendly for reading traffic!

In Wireshark. We can see the protocol used is TCP. it is a 3-way handshake for sending packets and we can see it take place,

We are trying to see the ssh port 22 packet info. We can see it is Encrypted and it even says encrypted! Can this be more secure to send information from a server to a user? Absolutely!! Take a look 🙂

When would we use this? Truthfully, not very often. But checking the delivery of packets of port 22 can determine the recipients, the amount of traffic being sent. Or listening to a server can tell those who are overseeing this server if there are any misconfigurations within the server or firewall.