Ask Your Question

Wireshark sshdump does not send ssh sequence Client: Key Exchange Init

asked 2020-12-23 11:23:10 +0000

Pat gravatar image


While testing the wireshark feature sshdump, it seems that Wireshark never sent the ssh sequence "Client: Key Exchange Init" (which is following the ssh sequence Server: Protocol SSH-2.0 / Client: Protocol SSH-2.0)

It means that if the requested remote server does not sent first "Server: Key Exchange Init" ssh sequence, the ssh connection will never been established between wireshark sshdump and the remote server.

Is it normal that wireshark never send "Client: Key Exchange Init" ? Or is it triggered by a specific wireshark options ?

Wireshark version : 3.4.1 (v3.4.1-0-g1a27f405875f) Same behavior on 3.4.0


edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2020-12-24 03:46:48 +0000

Chuckc gravatar image

updated 2020-12-24 03:56:06 +0000

Wireshark uses libssh for the ssh connection so behavior will depend on that code.
Recently the Wireshark ssh libraries have been updated for macos and windows.
Looking through the (libssh) code, there were changes in how this was handled between versions.

Here is behavior on Windows for libssh-0.7.3 (Wireshark 3.4.x and earlier):

image description

The connection failed - server was locked down to not support old kex algorithms.

Here is a connection to the same server with development branch (3.5.0rc0-355-g4227e5a1adef) which uses libssh-0.9.5:

image description

edit flag offensive delete link more


Thanks for your reply, I will test it with future stable Wireshark version 3.5.

Pat gravatar imagePat ( 2020-12-28 08:49:00 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2020-12-23 11:23:10 +0000

Seen: 41 times

Last updated: Dec 24 '20