# SSH Packet Capture - Detailed Analysis
Complete packet-by-packet breakdown of none-exec.pcapng
All packets use cipher `none` and MAC `umac-64@openssh.com` (after NEWKEYS)
---
## Packet 0: 00-client-banner.bin
**Direction**: client
**Size**: 22 bytes
**Type**: SSH Protocol Banner
```
banner: 'SSH-2.0-OpenSSH_10.1'
```
**Explanation**: SSH protocol version identification string exchanged at connection start.
## Packet 1: 01-server-banner.bin
**Direction**: server
**Size**: 22 bytes
**Type**: SSH Protocol Banner
```
banner: 'SSH-2.0-OpenSSH_10.1'
```
**Explanation**: SSH protocol version identification string exchanged at connection start.
## Packet 2: 02-client-kexinit.bin
**Direction**: client
**Size**: 1360 bytes
**Packet Length**: 1356
**Padding Length**: 4
**Message Code**: 20
```
SSH_MSG_KEXINIT {
cookie: <16 bytes: 00639d6c4d9c27c5bdc504f664cbc016>
kex_algorithms: [
'mlkem768x25519-sha256'
'sntrup761x25519-sha512'
'sntrup761x25519-sha512@openssh.com'
'curve25519-sha256'
'curve25519-sha256@libssh.org'
... (9 more)
]
server_host_key_algorithms: [
'ssh-ed25519-cert-v01@openssh.com'
'ecdsa-sha2-nistp256-cert-v01@openssh.com'
'ecdsa-sha2-nistp384-cert-v01@openssh.com'
'ecdsa-sha2-nistp521-cert-v01@openssh.com'
'sk-ssh-ed25519-cert-v01@openssh.com'
... (11 more)
]
encryption_algorithms_client_to_server: [
'none'
]
encryption_algorithms_server_to_client: [
'none'
]
mac_algorithms_client_to_server: [
'umac-64-etm@openssh.com'
'umac-128-etm@openssh.com'
'hmac-sha2-256-etm@openssh.com'
'hmac-sha2-512-etm@openssh.com'
'hmac-sha1-etm@openssh.com'
... (5 more)
]
mac_algorithms_server_to_client: [
'umac-64-etm@openssh.com'
'umac-128-etm@openssh.com'
'hmac-sha2-256-etm@openssh.com'
'hmac-sha2-512-etm@openssh.com'
'hmac-sha1-etm@openssh.com'
... (5 more)
]
compression_algorithms_client_to_server: [
'none'
'zlib@openssh.com'
]
compression_algorithms_server_to_client: [
'none'
'zlib@openssh.com'
]
languages_client_to_server: []
languages_server_to_client: []
first_kex_packet_follows: False
reserved: 0
}
```
**Explanation**: Key exchange initialization. Both sides propose algorithms for kex, host keys, encryption, MAC, and compression.
---
## Packet 3: 03-server-kexinit.bin
**Direction**: server
**Size**: 832 bytes
**Packet Length**: 828
**Padding Length**: 9
**Message Code**: 20
```
SSH_MSG_KEXINIT {
cookie: <16 bytes: 5374a582e26836e1126eda59480f8bc6>
kex_algorithms: [
'mlkem768x25519-sha256'
'sntrup761x25519-sha512'
'sntrup761x25519-sha512@openssh.com'
'curve25519-sha256'
'curve25519-sha256@libssh.org'
... (5 more)
]
server_host_key_algorithms: [
'rsa-sha2-512'
'rsa-sha2-256'
'ecdsa-sha2-nistp521'
'ssh-ed25519'
]
encryption_algorithms_client_to_server: [
'none'
]
encryption_algorithms_server_to_client: [
'none'
]
mac_algorithms_client_to_server: [
'umac-64-etm@openssh.com'
'umac-128-etm@openssh.com'
'hmac-sha2-256-etm@openssh.com'
'hmac-sha2-512-etm@openssh.com'
'hmac-sha1-etm@openssh.com'
... (5 more)
]
mac_algorithms_server_to_client: [
'umac-64-etm@openssh.com'
'umac-128-etm@openssh.com'
'hmac-sha2-256-etm@openssh.com'
'hmac-sha2-512-etm@openssh.com'
'hmac-sha1-etm@openssh.com'
... (5 more)
]
compression_algorithms_client_to_server: [
'none'
'zlib@openssh.com'
]
compression_algorithms_server_to_client: [
'none'
'zlib@openssh.com'
]
languages_client_to_server: []
languages_server_to_client: []
first_kex_packet_follows: False
reserved: 0
}
```
**Explanation**: Key exchange initialization. Both sides propose algorithms for kex, host keys, encryption, MAC, and compression.
---
## Packet 4: 04-client-kexdh_init.bin
**Direction**: client
**Size**: 1232 bytes
**Packet Length**: 1228
**Padding Length**: 6
**Message Code**: 30
```
SSH_MSG_KEXDH_INIT {
e: <1216 bytes: 18b325067748225a281e001d112233a2027a41310a0a335859ec5dd8d173585a...>
}
```
**Explanation**: Client's Diffie-Hellman key exchange value.
---
## Packet 5: 05-server-kexdh_reply.bin
**Direction**: server
**Size**: 1280 bytes
**Packet Length**: 1276
**Padding Length**: 8
**Message Code**: 31
```
SSH_MSG_KEXDH_REPLY {
server_public_host_key: <51 bytes: 0000000b7373682d6564323535313900000020f7d8ddc526991d76243f5dea49...>
f: <1120 bytes: 8917229098b570a60528173db5c9a98e27fbea772108ea379b92987c31835c70...>
signature_of_H: <83 bytes: 0000000b7373682d6564323535313900000040a34da59a382aea9148dc0712ad...>
}
```
**Explanation**: Server's Diffie-Hellman response with its public host key, DH value, and signature.
---
## Packet 6: 06-server-newkeys.bin
**Direction**: server
**Size**: 16 bytes
**Packet Length**: 12
**Padding Length**: 10
**Message Code**: 21
```
SSH_MSG_NEWKEYS {
}
```
**Explanation**: Signals that the sender will start using the newly negotiated keys. All following packets will include MAC.
---
## Packet 7: 07-server-ext_info.bin
**Direction**: server
**Size**: 276 bytes
**Packet Length**: 264
**Padding Length**: 11
**Message Code**: 7
**MAC**: e89b5df177489bb7
```
SSH_MSG_EXT_INFO {
nr_extensions: 3
extensions: [
'server-sig-algs': 'ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256'
'publickey-hostbound@openssh.com': '0'
'ping@openssh.com': '0'
]
}
```
**Explanation**: Extension negotiation (RFC 8308). Used to advertise optional protocol extensions.
---
## Packet 8: 08-client-newkeys.bin
**Direction**: client
**Size**: 16 bytes
**Packet Length**: 12
**Padding Length**: 10
**Message Code**: 21
```
SSH_MSG_NEWKEYS {
}
```
**Explanation**: Signals that the sender will start using the newly negotiated keys. All following packets will include MAC.
---
## Packet 9: 09-client-ext_info.bin
**Direction**: client
**Size**: 60 bytes
**Packet Length**: 48
**Padding Length**: 5
**Message Code**: 7
**MAC**: e8e665da71a89a5a
```
SSH_MSG_EXT_INFO {
nr_extensions: 1
extensions: [
'ext-info-in-auth@openssh.com': '0'
]
}
```
**Explanation**: Extension negotiation (RFC 8308). Used to advertise optional protocol extensions.
---
## Packet 10: 10-client-service_request.bin
**Direction**: client
**Size**: 36 bytes
**Packet Length**: 24
**Padding Length**: 6
**Message Code**: 5
**MAC**: 9149e02f1eaeab17
```
SSH_MSG_SERVICE_REQUEST {
service_name: 'ssh-userauth'
}
```
**Explanation**: Client requests a service (usually 'ssh-userauth' or 'ssh-connection').
---
## Packet 11: 11-server-service_accept.bin
**Direction**: server
**Size**: 36 bytes
**Packet Length**: 24
**Padding Length**: 6
**Message Code**: 6
**MAC**: e54fbf63bd58851c
```
SSH_MSG_SERVICE_ACCEPT {
service_name: 'ssh-userauth'
}
```
**Explanation**: Server accepts the requested service.
---
## Packet 12: 12-client-userauth_request.bin
**Direction**: client
**Size**: 52 bytes
**Packet Length**: 40
**Padding Length**: 4
**Message Code**: 50
**MAC**: be423d89f3dc729d
```
SSH_MSG_USERAUTH_REQUEST {
user_name: 'root'
service_name: 'ssh-connection'
method_name: 'none'
// No additional fields for 'none' method
}
```
**Explanation**: User authentication request. Contains username, service, and authentication method details.
---
## Packet 13: 13-server-ext_info.bin
**Direction**: server
**Size**: 204 bytes
**Packet Length**: 192
**Padding Length**: 4
**Message Code**: 7
**MAC**: b20d9663faeca278
```
SSH_MSG_EXT_INFO {
nr_extensions: 1
extensions: [
'server-sig-algs': 'ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256'
]
}
```
**Explanation**: Extension negotiation (RFC 8308). Used to advertise optional protocol extensions.
---
## Packet 14: 14-server-userauth_failure.bin
**Direction**: server
**Size**: 60 bytes
**Packet Length**: 48
**Padding Length**: 11
**Message Code**: 51
**MAC**: df6e2ff2d2273011
```
SSH_MSG_USERAUTH_FAILURE {
authentications_that_can_continue: ['publickey', 'keyboard-interactive']
partial_success: False
}
```
**Explanation**: Authentication failed. Lists methods that can still be tried.
---
## Packet 15: 15-client-userauth_request.bin
**Direction**: client
**Size**: 132 bytes
**Packet Length**: 120
**Padding Length**: 8
**Message Code**: 50
**MAC**: 11393a00d1dc7990
```
SSH_MSG_USERAUTH_REQUEST {
user_name: 'root'
service_name: 'ssh-connection'
method_name: 'publickey'
has_signature: False
public_key_algorithm: 'ssh-ed25519'
public_key: <51 bytes: 0000000b7373682d65643235353139000000206be676faeb81863743e5a9fd2c...>
}
```
**Explanation**: User authentication request. Contains username, service, and authentication method details.
---
## Packet 16: 16-server-userauth_pk_ok.bin
**Direction**: server
**Size**: 92 bytes
**Packet Length**: 80
**Padding Length**: 8
**Message Code**: 60
**MAC**: 60f47fe6e7d44b9e
```
SSH_MSG_USERAUTH_PK_OK {
public_key_algorithm: 'ssh-ed25519'
public_key: <51 bytes: 0000000b7373682d65643235353139000000206be676faeb81863743e5a9fd2c...>
}
```
**Explanation**: Server accepts the public key for authentication. Client should now send signed request.
---
## Packet 17: 17-client-userauth_request.bin
**Direction**: client
**Size**: 300 bytes
**Packet Length**: 288
**Padding Length**: 8
**Message Code**: 50
**MAC**: 1d93895c9a72fd74
```
SSH_MSG_USERAUTH_REQUEST {
user_name: 'root'
service_name: 'ssh-connection'
method_name: 'publickey-hostbound-v00@openssh.com'
}
```
**Explanation**: User authentication request. Contains username, service, and authentication method details.
---
## Packet 18: 18-server-userauth_success.bin
**Direction**: server
**Size**: 20 bytes
**Packet Length**: 8
**Padding Length**: 6
**Message Code**: 52
**MAC**: 95b8b19e0b9770f8
```
SSH_MSG_USERAUTH_SUCCESS {
}
```
**Explanation**: Authentication succeeded. Client is now authenticated.
---
## Packet 19: 19-client-channel_open.bin
**Direction**: client
**Size**: 44 bytes
**Packet Length**: 32
**Padding Length**: 7
**Message Code**: 90
**MAC**: b02d1efdd5ef24a7
```
SSH_MSG_CHANNEL_OPEN {
channel_type: 'session'
sender_channel: 0
initial_window_size: 2097152
maximum_packet_size: 32768
}
```
**Explanation**: Opens a new channel for a specific purpose (session, forwarding, etc.).
---
## Packet 20: 20-client-global_request.bin
**Direction**: client
**Size**: 52 bytes
**Packet Length**: 40
**Padding Length**: 5
**Message Code**: 80
**MAC**: bc37d0ed73b10b28
```
SSH_MSG_GLOBAL_REQUEST {
request_name: 'no-more-sessions@openssh.com'
want_reply: False
}
```
**Explanation**: Global request for a protocol extension or feature.
---
## Packet 21: 21-server-global_request.bin
**Direction**: server
**Size**: 820 bytes
**Packet Length**: 808
**Padding Length**: 8
**Message Code**: 80
**MAC**: 3d7f905963e88a8f
```
SSH_MSG_GLOBAL_REQUEST {
request_name: 'hostkeys-00@openssh.com'
want_reply: False
request_data: <770 bytes: 00000217000000077373682d727361000000030100010000020100b8f27194547a0352bae53e6b506fa591455f1b0e602907fe2adf205cc64f34801335a764cb...>
}
```
**Explanation**: Global request for a protocol extension or feature.
---
## Packet 22: 22-server-debug.bin
**Direction**: server
**Size**: 140 bytes
**Packet Length**: 128
**Padding Length**: 11
**Message Code**: 4
**MAC**: d5f9403eb96abb6b
```
SSH_MSG_DEBUG {
always_display: False
message: '/var/root/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding'
}
```
**Explanation**: Debug message from the server. Usually for diagnostics.
---
## Packet 23: 23-server-debug.bin
**Direction**: server
**Size**: 140 bytes
**Packet Length**: 128
**Padding Length**: 11
**Message Code**: 4
**MAC**: b6de49eedb1e5c05
```
SSH_MSG_DEBUG {
always_display: False
message: '/var/root/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding'
}
```
**Explanation**: Debug message from the server. Usually for diagnostics.
---
## Packet 24: 24-server-channel_open_confirmation.bin
**Direction**: server
**Size**: 36 bytes
**Packet Length**: 24
**Padding Length**: 6
**Message Code**: 91
**MAC**: 1642db3f071b3784
```
SSH_MSG_CHANNEL_OPEN_CONFIRMATION {
recipient_channel: 0
sender_channel: 0
initial_window_size: 0
maximum_packet_size: 32768
}
```
**Explanation**: Confirms channel open. Provides channel numbers and window parameters.
---
## Packet 25: 25-client-channel_request.bin
**Direction**: client
**Size**: 60 bytes
**Packet Length**: 48
**Padding Length**: 11
**Message Code**: 98
**MAC**: de9d702e8157d450
```
SSH_MSG_CHANNEL_REQUEST {
recipient_channel: 0
request_type: 'env'
want_reply: False
variable_name: 'LANG'
variable_value: 'en_US.UTF-8'
}
```
**Explanation**: Channel-specific request (e.g., exec, pty-req, env, subsystem).
---
## Packet 26: 26-client-channel_request.bin
**Direction**: client
**Size**: 44 bytes
**Packet Length**: 32
**Padding Length**: 7
**Message Code**: 98
**MAC**: 2f2443c64a7b0a25
```
SSH_MSG_CHANNEL_REQUEST {
recipient_channel: 0
request_type: 'exec'
want_reply: True
command: 'whoami'
}
```
**Explanation**: Channel-specific request (e.g., exec, pty-req, env, subsystem).
---
## Packet 27: 27-server-channel_window_adjust.bin
**Direction**: server
**Size**: 28 bytes
**Packet Length**: 16
**Padding Length**: 6
**Message Code**: 93
**MAC**: 9dd9ec9efd85682c
```
SSH_MSG_CHANNEL_WINDOW_ADJUST {
recipient_channel: 0
bytes_to_add: 2097152
}
```
**Explanation**: Flow control. Increases the channel window size to allow more data.
---
## Packet 28: 28-server-channel_success.bin
**Direction**: server
**Size**: 28 bytes
**Packet Length**: 16
**Padding Length**: 10
**Message Code**: 99
**MAC**: 09175fff7ae9d128
```
SSH_MSG_CHANNEL_SUCCESS {
recipient_channel: 0
}
```
**Explanation**: Channel request succeeded.
---
## Packet 29: 29-server-channel_extended_data.bin
**Direction**: server
**Size**: 68 bytes
**Packet Length**: 56
**Padding Length**: 8
**Message Code**: 95
**MAC**: c543158bc98d37a8
```
SSH_MSG_CHANNEL_EXTENDED_DATA {
recipient_channel: 0
data_type_code: 1 // SSH_EXTENDED_DATA_STDERR
data: 'debug1: permanently_set_uid: 0/0\r\n'
}
```
**Explanation**: Extended channel data (usually stderr). Like CHANNEL_DATA but with a type code.
---
## Packet 30: 30-server-channel_extended_data.bin
**Direction**: server
**Size**: 212 bytes
**Packet Length**: 200
**Padding Length**: 7
**Message Code**: 95
**MAC**: f26806b090dcbe8d
```
SSH_MSG_CHANNEL_EXTENDED_DATA {
recipient_channel: 0
data_type_code: 1 // SSH_EXTENDED_DATA_STDERR
data: 'Environment:\n USER=root\n LOGNAME=root\n HOME=/var/root\n PATH=/usr/bin:/bin:/usr/sbin:/sbin:/nix/store/mkx7hna36djn2351rwyqwlhwpx6c75s4-openssh-10.1p1/bin\n MAIL=/var/mail/root\n'
}
```
**Explanation**: Extended channel data (usually stderr). Like CHANNEL_DATA but with a type code.
---
## Packet 31: 31-server-channel_extended_data.bin
**Direction**: server
**Size**: 116 bytes
**Packet Length**: 104
**Padding Length**: 10
**Message Code**: 95
**MAC**: 37ba892ac53c5974
```
SSH_MSG_CHANNEL_EXTENDED_DATA {
recipient_channel: 0
data_type_code: 1 // SSH_EXTENDED_DATA_STDERR
data: ' SHELL=/bin/sh\n SSH_CLIENT=::1 62421 2222\n SSH_CONNECTION=::1 62421 ::1 2222\n'
}
```
**Explanation**: Extended channel data (usually stderr). Like CHANNEL_DATA but with a type code.
---
## Packet 32: 32-server-channel_data.bin
**Direction**: server
**Size**: 36 bytes
**Packet Length**: 24
**Padding Length**: 9
**Message Code**: 94
**MAC**: 4305f7ae1c568618
```
SSH_MSG_CHANNEL_DATA {
recipient_channel: 0
data: 'root\n'
}
```
**Explanation**: Channel data transfer (stdout). Contains actual payload data for the channel.
---
## Packet 33: 33-server-channel_eof.bin
**Direction**: server
**Size**: 28 bytes
**Packet Length**: 16
**Padding Length**: 10
**Message Code**: 96
**MAC**: 0f051f4ac868bc36
```
SSH_MSG_CHANNEL_EOF {
recipient_channel: 0
}
```
**Explanation**: End of data on channel. No more data will be sent, but channel remains open.
---
## Packet 34: 34-server-channel_request.bin
**Direction**: server
**Size**: 44 bytes
**Packet Length**: 32
**Padding Length**: 6
**Message Code**: 98
**MAC**: ca763139dbcfef97
```
SSH_MSG_CHANNEL_REQUEST {
recipient_channel: 0
request_type: 'exit-status'
want_reply: False
request_data: <4 bytes: 00000000>
}
```
**Explanation**: Channel-specific request (e.g., exec, pty-req, env, subsystem).
---
## Packet 35: 35-server-channel_request.bin
**Direction**: server
**Size**: 44 bytes
**Packet Length**: 32
**Padding Length**: 6
**Message Code**: 98
**MAC**: 47ab0063a6b851ed
```
SSH_MSG_CHANNEL_REQUEST {
recipient_channel: 0
request_type: 'eow@openssh.com'
want_reply: False
}
```
**Explanation**: Channel-specific request (e.g., exec, pty-req, env, subsystem).
---
## Packet 36: 36-server-channel_close.bin
**Direction**: server
**Size**: 28 bytes
**Packet Length**: 16
**Padding Length**: 10
**Message Code**: 97
**MAC**: d5cea55189965da4
```
SSH_MSG_CHANNEL_CLOSE {
recipient_channel: 0
}
```
**Explanation**: Closes the channel. Other side should respond with CHANNEL_CLOSE.
---
## Packet 37: 37-client-channel_close.bin
**Direction**: client
**Size**: 28 bytes
**Packet Length**: 16
**Padding Length**: 10
**Message Code**: 97
**MAC**: 6eedb67af8145c45
```
SSH_MSG_CHANNEL_CLOSE {
recipient_channel: 0
}
```
**Explanation**: Closes the channel. Other side should respond with CHANNEL_CLOSE.
---
## Packet 38: 38-client-disconnect.bin
**Direction**: client
**Size**: 52 bytes
**Packet Length**: 40
**Padding Length**: 6
**Message Code**: 1
**MAC**: b7371119d6e47da2
```
SSH_MSG_DISCONNECT {
reason_code: 11
description: 'disconnected by user'
}
```
**Explanation**: Disconnect message. Indicates connection termination with reason code and description.
---