PcapPlusPlus
21.11
|
#include "Layer.h"
Go to the source code of this file.
Classes | |
class | pcpp::SSHLayer |
class | pcpp::SSHIdentificationMessage |
class | pcpp::SSHHandshakeMessage |
struct | pcpp::SSHHandshakeMessage::ssh_message_base |
class | pcpp::SSHKeyExchangeInitMessage |
class | pcpp::SSHEncryptedMessage |
Namespaces | |
pcpp | |
The main namespace for the PcapPlusPlus lib. | |
This file introduces classes and structures that represent the SSH (Secure Shell) protocol.
An overview of this protocol can be found here: https://en.wikipedia.org/wiki/Ssh_(Secure_Shell)
For more details please refer to RFC 4253: https://tools.ietf.org/html/rfc4253
These current implementation supports parsing of SSH packets when possible (meaning when they are not encrypted). Creation and editing of SSH packets is currently not supported.
SSH typically uses TCP port 22 so PcapPlusPlus assumes all traffic on this port is SSH traffic. PcapPlusPlus uses some heuristics to determine the type of the SSH message (which will be covered later). If it doesn't find a match to one of the other SSH messages, it assumes it is an encrypted SSH message.
Following is an overview of the SSH protocol classes currently supported in PcapPlusPlus. They cover the differnet messages of the SSH protocol:
+----------------------------+ SSH version identification +---| SSHIdentificationMessage | ===> as described here: | +----------------------------+ https://tools.ietf.org/html/rfc4253#section-4.2 | +------------+ | +----------------------------+ SSH handshake message | SSHLayer |-------------+---| SSHHandshakeMessage | ===> which is typically one of the messages described here: | (abstract) | | +----------------------------+ https://tools.ietf.org/html/rfc4253#section-12 +------------+ | | | | +----------------------------+ SSH Key Exchange message | +-----| SSHKeyExchangeInitMessage | ===> as described here: | +----------------------------+ https://tools.ietf.org/html/rfc4253#section-7 | | +----------------------------+ +---| SSHEncryptedMessage | ===> An encrypted SSH message +----------------------------+
The following points describe the heuristics for deciding the message type for each packet:
Try to determine if this is a non-encrypted SSH handshake message:
If all of these condition are met, this message is either pcpp::SSHKeyExchangeInitMessage (if messsage type is pcpp::SSHHandshakeMessage::SSH_MSG_KEX_INIT) or pcpp::SSHHandshakeMessage (for all other message types)