Intermediate20 min

JA4SSH - SSH Traffic Analysis

JA4SSH fingerprints SSH sessions by analyzing packet length patterns in encrypted traffic. Different activities (interactive shell, SCP transfer, tunneling) produce distinct packet size distributions that JA4SSH captures.

Prerequisites

Basic understanding of SSH protocol
JA4T lab completed

What is JA4SSH?

SSH encrypts all traffic, making content inspection impossible. However, JA4SSH analyzes the size and direction of SSH packets to classify what kind of activity is occurring within an SSH session. Interactive typing produces small, frequent packets while file transfers produce large, sustained packet flows.

Traffic Analysis without Decryption

JA4SSH works entirely on encrypted traffic. No keys, certificates, or decryption are needed. It analyzes packet metadata only - sizes, counts, and directionality.

JA4SSH Format

c36_s96_c25_s50

c36

Client Packets

Average client-to-server packet length

s96

Server Packets

Average server-to-client packet length

c25

Client Count

Client packet count in sample window

s50

Server Count

Server packet count in sample window

Session Classification

Interactive Shell

Interactive typing produces small packets (each keystroke), with server responses varying in size (command output).

Interactive SSH pattern

# Pattern: small client packets, variable server packets
# Client avg: ~36 bytes, Server avg: ~96 bytes
# Client count > Server count (keystrokes echo back)
c36s96_c25s50

SCP/SFTP File Transfer

File transfers produce large, sustained packet flows in one direction.

SCP upload pattern

# Upload: large client packets, small server acks
# Client avg: ~1398 bytes (near MTU), Server avg: ~36 bytes
c1398s36_c500s500

# Download: small client acks, large server packets
c36s1398_c500s500

SSH Tunnel

SSH tunnels carrying web traffic show mixed packet sizes from both directions.

SSH tunnel pattern

# Tunnel: varied sizes both directions (encapsulated web traffic)
# Both client and server show larger, varied packet sizes
c200s400_c100s200

Detection Commands

Analyze SSH sessions

# Extract SSH session info
tshark -r capture.pcap -Y "ssh" \
  -T fields -e ip.src -e ip.dst -e tcp.len -e ja4ssh.hash

# Identify large SSH transfers (possible data exfiltration)
tshark -r capture.pcap -Y "ssh && tcp.len > 1000" \
  -T fields -e ip.src -e ip.dst -e tcp.len | sort | uniq -c

# Detect SSH tunneling (high packet count, varied sizes)
tshark -r capture.pcap -Y "ssh" \
  -T fields -e tcp.stream -e ja4ssh.hash | sort -u

Data Exfiltration Indicator

An SSH session with sustained large client-to-server packets (near MTU) from an internal host to an external IP is a strong indicator of data exfiltration via SCP/SFTP.

Hands-On Exercise

Step 1: Generate Different SSH Activities

# Interactive shell
ssh user@target_host

# File transfer (SCP)
scp large_file.zip user@target_host:/tmp/

# SSH tunnel
ssh -D 8080 user@target_host

Step 2: Capture and Extract

tshark -r ssh_capture.pcap -Y "ssh" \
  -T fields -e tcp.stream -e ip.src -e ip.dst -e tcp.len -e ja4ssh.hash

Step 3: Classify Each Session

Compare the packet patterns against the known session types above. Can you identify which SSH session is interactive, file transfer, and tunneled traffic?

Lab Complete

You can now classify SSH sessions from encrypted traffic. Check the Wireshark Plugin lab for setup tips.