Odd Size SSH data frame

Aris Adamantiadis aris.adamantiadis at belnet.be
Fri Apr 16 18:27:02 EST 2010

Hi Ashrith,

There are lots of reasons which could create that situation. First, as
you told, all SSH packets are multiple of the block size, which itself
is a multiple of 4. But all SSH packets do not end as-is in TCP packets.
TCP as a transport protocol can split SSH packets at will and
reconstruct them later. What you've seen may be happening because of
some firewall re-encoding the TCP stream, a certain host hitting a MTU
value, ...
The idea here is that one tcp packet does not always fit a SSH packet.


Ashrith Barthur a écrit :
> I am doing a certain analysis with different kinds of traffic and SSH is one
> of them. I am using SSH Version 2 on the complete test bed. Also, I am doing
> in depth packet analysis and have landed up with  some anomalies.
> 1. Out of Millions of packet there are about 5 packets that are of odd size.
> The size is only the data frame size considered after the TCP header has
> been removed. All other packets we have got even data size. It is also
> understood that if one were to be using SSH version 2 then the data frame
> would be a multiple of 4.
> 2. These packets are not occurring while there is a key negotiation or while
> there is a re-key in progress but they are happening bang in the middle of a
> data transfer. And its usually just one packet in the middle of thousands of
> other packets which have even, multiple of 4 size.
> 3. There is no IP fragmentation as the Offsets have been verified.
> I really wonder why these packets with odd Data frame size exist. I would be
> thankful if there could be some understanding about it.
> Regards
> Ashrith

Aris Adamantiadis
BELNET, Customer Relations
Technical Advisor
t: +32 2 790 33 33
Dept: customer at belnet.be
Contact: http://www.belnet.be/fr/content/contact

More information about the openssh-unix-dev mailing list