PcapPlusPlus  24.09
SSHLayer.h File Reference
#include "Layer.h"

Go to the source code of this file.

Classes

class  pcpp::SSHLayer
 
class  pcpp::SSHIdentificationMessage
 
class  pcpp::SSHHandshakeMessage
 
struct  pcpp::SSHHandshakeMessage::ssh_message_base
 
class  pcpp::SSHKeyExchangeInitMessage
 
class  pcpp::SSHEncryptedMessage
 

Namespaces

 pcpp
 The main namespace for the PcapPlusPlus lib.
 

Detailed Description

This file introduces classes and structures that represent the SSH (Secure Shell) protocol.

An overview of this protocol can be found here: https://en.wikipedia.org/wiki/Ssh_(Secure_Shell)

For more details please refer to RFC 4253: https://tools.ietf.org/html/rfc4253

These current implementation supports parsing of SSH packets when possible (meaning when they are not encrypted). Creation and editing of SSH packets is currently not supported.

SSH typically uses TCP port 22 so PcapPlusPlus assumes all traffic on this port is SSH traffic. PcapPlusPlus uses some heuristics to determine the type of the SSH message (which will be covered later). If it doesn't find a match to one of the other SSH messages, it assumes it is an encrypted SSH message.

Following is an overview of the SSH protocol classes currently supported in PcapPlusPlus. They cover the different messages of the SSH protocol:

                           +----------------------------+      SSH version identification
                       +---|  SSHIdentificationMessage  | ===> as described here:
                       |   +----------------------------+      https://tools.ietf.org/html/rfc4253#section-4.2
                       |
+------------+         |   +----------------------------+      SSH handshake message
|  SSHLayer  |---------+---|  SSHHandshakeMessage       | ===> which is typically one of the messages described here:
| (abstract) |         |   +----------------------------+      https://tools.ietf.org/html/rfc4253#section-12
+------------+         |                 |
                       |                 |     +----------------------------+
                       |                 +-----|  SSHKeyExchangeInitMessage | ===> SSH Key Exchange message
                       |                       +----------------------------+      as described here:
                       |                                                 https://tools.ietf.org/html/rfc4253#section-7
                       |
                       |   +----------------------------+
                       +---|  SSHEncryptedMessage       | ===> An encrypted SSH message
                           +----------------------------+

The following points describe the heuristics for deciding the message type for each packet:

  1. If the data starts with the characters "SSH-" and ends with "\n" (or "\r\n") it's assumed the message is of type pcpp::SSHIdentificationMessage
  2. Try to determine if this is a non-encrypted SSH handshake message:

    • Look at the first 4 bytes of the data which may contain the packet length and see if the value is smaller of equal than the entire layer length.
    • The next byte contains the padding length, check if it's smaller or equal than the packet length
    • The next byte contains the message type, check if the value is a valid message type as described in: https://tools.ietf.org/html/rfc4253#section-12

    If all of these condition are met, this message is either pcpp::SSHKeyExchangeInitMessage (if message type is pcpp::SSHHandshakeMessage::SSH_MSG_KEX_INIT) or pcpp::SSHHandshakeMessage (for all other message types)

  3. If non of these conditions are met, it is assumed this is an encrypted message (pcpp::SSHEncryptedMessage)