Hi all, I've noticed an odd phenomenon with SSH v1.2.20. Every night a process runs on machine A which contacts machines B, C and D to back up a large file using scp (the machines are all running SCO Unix v3.2, FWIW). I have a traffic logger set up on the network, and it's picking up weird traffic behaviour. Specifically, every SCP packet seems to be accompanied by an attempt to open a connection on a random port from a random port. To elucidate, here's an editied dump of the traffic -- just a tiny snippet to give people a feel for what's going on. The first two columns give source machine and port, the second two columns give destination machine and port, and the last column gives bytes including IP headers: Source Port Dest Port Bytes B 22 A 1023 492 B 16352 A 15949 6 B 22 A 1023 492 B 44793 A 21516 6 A 1023 B 22 6 B 22 A 1023 492 B 53664 A 20986 6 B 22 A 1023 492 B 48813 A 64348 6 The 492-byte packets between B, port 22 and A, port 1023 are the data (one of the hops on the link has a small MTU); the 6-byte packet in the opposite direction between the same ports is an acknowledgement (some windowing is in operation). My question is: what is the other crud (the six-byte packets from the other ports)? Can anyone shed light on this? Thanks, Geva Patz
