Consider a scenario where we have received a PCAP file for analysis and some logs from a Linux server. By analyzing the file in Wireshark, we get the following packet data:
It looks like the data belongs to the Secure Shell (SSH), and, by browsing through the Statistics | Conversations in Wireshark, we get the following:
There are mainly two hosts present on the PCAP file, which are 192.168.153.130 and 192.168.153.141. We can see that the destination port is 22, which is a commonly used port for SSH. However, this doesn't look like a standard SSH connection, as the source port is different and are in plenty. Moreover, the port numbers are not from the well-known (1-1024) and registered set of ports (1024-41951). This behavior is quite common for a example for brute force attacks.
However, we are currently not sure...