Odd Size SSH data frame

Ashrith Barthur bartha at cerias.purdue.edu
Thu Apr 15 16:17:52 EST 2010

I am doing a certain analysis with different kinds of traffic and SSH is one
of them. I am using SSH Version 2 on the complete test bed. Also, I am doing
in depth packet analysis and have landed up with  some anomalies.

1. Out of Millions of packet there are about 5 packets that are of odd size.
The size is only the data frame size considered after the TCP header has
been removed. All other packets we have got even data size. It is also
understood that if one were to be using SSH version 2 then the data frame
would be a multiple of 4.

2. These packets are not occurring while there is a key negotiation or while
there is a re-key in progress but they are happening bang in the middle of a
data transfer. And its usually just one packet in the middle of thousands of
other packets which have even, multiple of 4 size.

3. There is no IP fragmentation as the Offsets have been verified.

I really wonder why these packets with odd Data frame size exist. I would be
thankful if there could be some understanding about it.


Please do not print this E-mail unless you really need to.

More information about the openssh-unix-dev mailing list