Size of data packets in SSH connection

Damien Miller djm at mindrot.org
Wed Apr 14 15:20:11 EST 2010


On Tue, 13 Apr 2010, david kohn7 wrote:

> >
> > No, the TCP packets can be any size. The SSH packets that they carry
> > must be sized correctly and this depends on the cipher in use. See
> > cipher.c in the OpenSSH source for the list of blocksizes.
> 
> Thank you, i'll look into that.I
>  can access the SSH packet data (via pcap), then this should be sized
> correctly(according to SSH). For example out of 10K connections,
> all SSH packet sizes were a multiple of 4[1], 30 connections had
> packets with odd number of bytes (nearly always sent by the server)
> .
> I'm guessing this could happen at the TCP/IP level (i am seeing this
> in tcpdump) - e.g fragmentation.
> Could this be the reason why I see it? Why would it be so rare?

Before the cipher is brought up the packets are not forced to a cipher
blocksize, so you might be seeing KEXINIT packets or client/server banners.

> [1] If i'm not mistaken, the LCD of all sizes irrespective of
> cipher used is 4

That's true for protocol 2, but protocol 1 has one cipher (DES) with a
shorter blocksize. Occasionally people patch support for the null cipher
into their SSH clients or servers and it has no blocksize either.

-d


More information about the openssh-unix-dev mailing list