Hi Ashrith,
There are lots of reasons which could create that situation. First, as
you told, all SSH packets are multiple of the block size, which itself
is a multiple of 4. But all SSH packets do not end as-is in TCP packets.
TCP as a transport protocol can split SSH packets at will and
reconstruct them later. What you've seen may be happening because of
some firewall re-encoding the TCP stream, a certain host hitting a MTU
value, ...
The idea here is that one tcp packet does not always fit a SSH packet.
Aris
Ashrith Barthur a ?crit :> I am doing a certain analysis with different kinds of traffic and SSH is
one
> of them. I am using SSH Version 2 on the complete test bed. Also, I am
doing
> in depth packet analysis and have landed up with some anomalies.
>
> 1. Out of Millions of packet there are about 5 packets that are of odd
size.
> The size is only the data frame size considered after the TCP header has
> been removed. All other packets we have got even data size. It is also
> understood that if one were to be using SSH version 2 then the data frame
> would be a multiple of 4.
>
> 2. These packets are not occurring while there is a key negotiation or
while
> there is a re-key in progress but they are happening bang in the middle of
a
> data transfer. And its usually just one packet in the middle of thousands
of
> other packets which have even, multiple of 4 size.
>
> 3. There is no IP fragmentation as the Offsets have been verified.
>
> I really wonder why these packets with odd Data frame size exist. I would
be
> thankful if there could be some understanding about it.
>
> Regards
> Ashrith
>
--
Aris Adamantiadis
--
BELNET, Customer Relations
Technical Advisor
t: +32 2 790 33 33
Dept: customer at belnet.be
Contact: http://www.belnet.be/fr/content/contact