Solution de Trachinus pour ja4a4a4do0o0ore SSH !

#!/bin/bash

PCAP_FILE="$1"

if [ -z "$PCAP_FILE" ]; then
  echo "Usage: $0 file.pcap"
  exit 1
fi

echo "[*] Analyzing $PCAP_FILE on port 2222 as SSH..."

# Get all TCP packets on port 2222 and extract: time, tcp.stream, ip.src, ip.dst
# Force tshark to decode port 2222 as SSH
tshark -r "$PCAP_FILE" -d tcp.port==2222,ssh -Y "tcp.port == 2222" \
  -T fields -e frame.time_relative -e tcp.stream -e ip.src -e ip.dst \
| sort -k2,2n -k1,1n \
| awk '
BEGIN {
  prev_stream = -1;
}
{
  time = $1;
  stream = $2;
  src = $3;
  dst = $4;

  if (stream != prev_stream) {
    if (prev_stream != -1 && max_delta > 30) {
      printf("[!] Suspicious stream %s: max idle = %.2f sec between %s and %s\n", prev_stream, max_delta, prev_src, prev_dst);
    }
    prev_stream = stream;
    prev_time = time;
    max_delta = 0;
    prev_src = src;
    prev_dst = dst;
    next;
  }

  delta = time - prev_time;
  if (delta > max_delta) {
    max_delta = delta;
  }
  prev_time = time;
}
END {
  if (prev_stream != -1 && max_delta > 30) {
    printf("[!] Suspicious stream %s: max idle = %.2f sec between %s and %s\n", prev_stream, max_delta, prev_src, prev_dst);
  }
}'