Interacting with Remote Systems
12:18:19.769430 IP localhost.50768 > localhost.ssh: Flags [P.], seq
1:25, ack 1, win 513, options [nop,nop,TS val 57162362 ecr
57162360], length 24
12:18:19.769467 IP localhost.ssh > localhost.50768: Flags [.], ack
25, win 512, options [nop,nop,TS val 57162362 ecr 57162362], length
0
Although, it's very quick and easy to run tcpdump, the command does not
interpret it in the same way as the other GUI tools, such as Wireshark, interpret
it. The preceding session can be captured in Wireshark, as shown in the
following screenshot:
This clearly shows how the first three packets complete the TCP handshake process.
Then, the subsequent SSH packets negotiate the connection between the client
and the server. It's interesting to see how the client and the server negotiate the
encryption protocols. In this example, the client port is 50768 and the server port is
22. The client first initiates the SSH packet exchange and then indicates that it would
like to talk over the SSHv2 protocol. Then, the server agrees on that and continues the
packet exchange.