Size of data packets in SSH connection
djm at mindrot.org
Wed Apr 14 15:20:11 EST 2010
On Tue, 13 Apr 2010, david kohn7 wrote:
> > No, the TCP packets can be any size. The SSH packets that they carry
> > must be sized correctly and this depends on the cipher in use. See
> > cipher.c in the OpenSSH source for the list of blocksizes.
> Thank you, i'll look into that.I
> can access the SSH packet data (via pcap), then this should be sized
> correctly(according to SSH). For example out of 10K connections,
> all SSH packet sizes were a multiple of 4, 30 connections had
> packets with odd number of bytes (nearly always sent by the server)
> I'm guessing this could happen at the TCP/IP level (i am seeing this
> in tcpdump) - e.g fragmentation.
> Could this be the reason why I see it? Why would it be so rare?
Before the cipher is brought up the packets are not forced to a cipher
blocksize, so you might be seeing KEXINIT packets or client/server banners.
>  If i'm not mistaken, the LCD of all sizes irrespective of
> cipher used is 4
That's true for protocol 2, but protocol 1 has one cipher (DES) with a
shorter blocksize. Occasionally people patch support for the null cipher
into their SSH clients or servers and it has no blocksize either.
More information about the openssh-unix-dev