Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hi , I would like some help on the above problem of mine . I want to analyze the traffic on ssh port i.e I want to display the current user's logged on to the ssh port and the IP addresses from where they came . What Network Perl module can I use to get my problem solved . Please suggest me on how to analyze traffic on ssh port . Thankyou !
  • Comment on Analyze Traffic of ssh port using perl script

Replies are listed 'Best First'.
Re: Analyze Traffic of ssh port using perl script
by pzbagel (Chaplain) on Jul 29, 2003 at 07:05 UTC

    Are you local on the box? If so, you can use Proc::ProcessTable to see who is running sshd. Those are your ssh users, minus the sshd which is the parent, which will be the original sshd which is running and listening to port 22. I don't know what you mean by "analyze the traffic". Hope you aren't trying to be an 31337 h4X0r or something.

    Some non-perl centered options might be parsing 'netstat -an' output and seeing who is connected to port 22. Or how about using the output of 'lsof -i'.

    HTH

[reply]
      Hi , I want to get connected to port 22 of a remote machine and then get the user's logged in on 22 port of that remote machine . I would like to display a list of users logged in , time of connect , disconnect time and the IP addresses from where they arrived . Can u suggest me something on my above problem ??? Thankyou !
[reply]

        Unless you can authenticate and get shell access, you will not be able to enumerate what is running on the box. You used to be able to do this with a service like rstat, rwho, finger, etc. but any sysadmin worth his salt turns those services off because they are an information leak for hackers.

        If you do have shell access, then simply have your script login and use one of the method I described above.

        HTH

[reply]
Re: Analyze Traffic of ssh port using perl script
by Tomte (Priest) on Jul 29, 2003 at 07:10 UTC

    the traffic is encrypted and wont be so easy to analyze for the information you seek ;)

    Seems to me you want to analyze the log your ssh-daemon logs to, not the traffic; mine logs to /var/log/auth.log, the messages you're after look something like that: 

    Jul 29 09:02:29 machinename sshd[30173]: Accepted password for usernam
+e from ::ffff:192.168.0.1 port 39664 ssh2
Jul 29 09:02:29 machine sshd(pam_unix)[9312]: session opened for user 
+username by (uid=500)
[...]
Jul 29 09:07:35 machine sshd(pam_unix)[7137]: session closed for user 
+username

    [download]
    How to watch and parse this depends on your situation.

    regards,
    tomte

    Hlade's Law:

    If you have a difficult task, give it to a lazy person --
    they will find an easier way to do it.

[reply]
[d/l]
Re: Perl script monitoring ssh port
by crenz (Priest) on Jul 29, 2003 at 13:31 UTC

    To achieve that, you would probably need to configure your SSH server to write a logfile, and analyze that.

    Also, the last and who Unix commands might be more useful for you.

    Update: You might also want to take a look at the User::Utmp module.

[reply]
[d/l]
[select]
Re: Perl script monitoring ssh port
by Grygonos (Chaplain) on Jul 29, 2003 at 13:28 UTC
    I believe this will do the trick Net::SSH @ CPAN

    capturing & parsing output from the w,who,and finger commands may get you some of what you need. I don't know where to retrieve time of disconnect however.

[reply]

Back to Seekers of Perl Wisdom