ktrace and tcpdump.
I should have mentioned that the laptop is using OpenSSH but it's OSX
not OpenBSD. ktrace was replaced with I think dtrace on OSX a while ago,
so I'll have to look into how to get that set up.
As for tcpdump, I'm not sure what I'd be looking for there. Most of the
connection meat would be encrypted anyway though, wouldn't it?
more generally, see where it's stopping.
the pattern of traffic should be roughly the same. two packets that way, one
packet this way, etc. perhaps you can determine if the client is waiting for
the server, or the server for the client, or if only packets of 1337 bytes
cause trouble, etc.
OK fair enough I guess. I'll have to record several sessions to
different machines along with a broken session to the server, then
compare the whole lot side by side. Knowing my luck it'll be fine for
the next few days until I've forgotten and then go bad again.
