On 03/12/2020 12:16, Samuel Sieb wrote:
Also, the capture file could contain some information that
shouldn't be publicly shared.
OK.... Let me try to make it "easier" for the OP to use this particular
"process of elimination".
Meaning, eliminate brute force ssh attacks as the source of "mysterious internet
activity".
I used tcpdump to collect a small amount of packets using
tcpdump -c 50 port 22 -w /tmp/cap.pcap
It is a small file and I hope it makes it through with this message.
The OP can start wireshark and "open" this file to display what went on and
compare it with what
they may collect on their system.
The first packet is the SYN packet from 139.199.228.133 (An IP address assigned to
China).
So, it confirms the start of the exchange comes from an external source.
Packets 1~28 shows the failed exchange.
Packet 29 is the start of another attempt from a different IP, 58.218.198.153, another IP
from
China.
---
The key to getting good answers is to ask good questions.