# SSH Packets from none-exec.pcapng
Extracted SSH packets in chronological order.
**Note:** Each .bin file contains a complete SSH packet including:
- Packet length field (4 bytes)
- Padding length (1 byte)
- Payload (variable)
- Padding (variable)
- MAC (8 bytes, only present after NEWKEYS - umac-64@openssh.com)
## Packet Details
| 0 | `00-client-banner.bin` | client | 5 | 22 | Banner | 0 |
| 1 | `01-server-banner.bin` | server | 7 | 22 | Banner | 0 |
| 2 | `02-client-kexinit.bin` | client | 9 | 1360 | KEXINIT | 0 |
| 3 | `03-server-kexinit.bin` | server | 11 | 832 | KEXINIT | 0 |
| 4 | `04-client-kexdh_init.bin` | client | 13 | 1232 | KEXDH_INIT | 0 |
| 5 | `05-server-kexdh_reply.bin` | server | 15 | 1280 | KEXDH_REPLY | 0 |
| 6 | `06-server-newkeys.bin` | server | 15 | 16 | NEWKEYS | 0 |
| 7 | `07-server-ext_info.bin` | server | 15 | 276 | EXT_INFO | 8 |
| 8 | `08-client-newkeys.bin` | client | 17 | 16 | NEWKEYS | 0 |
| 9 | `09-client-ext_info.bin` | client | 17 | 60 | EXT_INFO | 8 |
| 10 | `10-client-service_request.bin` | client | 19 | 36 | SERVICE_REQUEST | 8 |
| 11 | `11-server-service_accept.bin` | server | 21 | 36 | SERVICE_ACCEPT | 8 |
| 12 | `12-client-userauth_request.bin` | client | 23 | 52 | USERAUTH_REQUEST | 8 |
| 13 | `13-server-ext_info.bin` | server | 25 | 204 | EXT_INFO | 8 |
| 14 | `14-server-userauth_failure.bin` | server | 25 | 60 | USERAUTH_FAILURE | 8 |
| 15 | `15-client-userauth_request.bin` | client | 27 | 132 | USERAUTH_REQUEST | 8 |
| 16 | `16-server-userauth_pk_ok.bin` | server | 29 | 92 | USERAUTH_PK_OK | 8 |
| 17 | `17-client-userauth_request.bin` | client | 31 | 300 | USERAUTH_REQUEST | 8 |
| 18 | `18-server-userauth_success.bin` | server | 33 | 20 | USERAUTH_SUCCESS | 8 |
| 19 | `19-client-channel_open.bin` | client | 35 | 44 | CHANNEL_OPEN | 8 |
| 20 | `20-client-global_request.bin` | client | 35 | 52 | GLOBAL_REQUEST | 8 |
| 21 | `21-server-global_request.bin` | server | 37 | 820 | GLOBAL_REQUEST | 8 |
| 22 | `22-server-debug.bin` | server | 37 | 140 | DEBUG | 8 |
| 23 | `23-server-debug.bin` | server | 38 | 140 | DEBUG | 8 |
| 24 | `24-server-channel_open_confirmation.bin` | server | 41 | 36 | CHANNEL_OPEN_CONFIRMATION | 8 |
| 25 | `25-client-channel_request.bin` | client | 43 | 60 | CHANNEL_REQUEST | 8 |
| 26 | `26-client-channel_request.bin` | client | 43 | 44 | CHANNEL_REQUEST | 8 |
| 27 | `27-server-channel_window_adjust.bin` | server | 45 | 28 | CHANNEL_WINDOW_ADJUST | 8 |
| 28 | `28-server-channel_success.bin` | server | 45 | 28 | CHANNEL_SUCCESS | 8 |
| 29 | `29-server-channel_extended_data.bin` | server | 47 | 68 | CHANNEL_EXTENDED_DATA | 8 |
| 30 | `30-server-channel_extended_data.bin` | server | 49 | 212 | CHANNEL_EXTENDED_DATA | 8 |
| 31 | `31-server-channel_extended_data.bin` | server | 51 | 116 | CHANNEL_EXTENDED_DATA | 8 |
| 32 | `32-server-channel_data.bin` | server | 53 | 36 | CHANNEL_DATA | 8 |
| 33 | `33-server-channel_eof.bin` | server | 55 | 28 | CHANNEL_EOF | 8 |
| 34 | `34-server-channel_request.bin` | server | 55 | 44 | CHANNEL_REQUEST | 8 |
| 35 | `35-server-channel_request.bin` | server | 55 | 44 | CHANNEL_REQUEST | 8 |
| 36 | `36-server-channel_close.bin` | server | 55 | 28 | CHANNEL_CLOSE | 8 |
| 37 | `37-client-channel_close.bin` | client | 57 | 28 | CHANNEL_CLOSE | 8 |
| 38 | `38-client-disconnect.bin` | client | 58 | 52 | DISCONNECT | 8 |
## Verification
All packets have been verified byte-by-byte against the original pcap TCP stream:
- ✓ All 39 packets extracted correctly
- ✓ All MACs present after NEWKEYS (8 bytes each, umac-64@openssh.com)
- ✓ All packet boundaries correct
- ✓ All filenames match actual SSH message types
## Extraction
Packets were extracted using `extract_ssh_packets.py`. The script:
1. Parses KEXINIT to determine MAC algorithm (umac-64@openssh.com)
2. Tracks NEWKEYS messages to know when MACs start
3. Handles multiple SSH packets within single TCP frames
4. Extracts complete packets including length field, payload, padding, and MAC