On 03/12/2020 12:16, Samuel Sieb wrote:
Also, the capture file could contain some information that shouldn't be publicly shared.
OK.... Let me try to make it "easier" for the OP to use this particular "process of elimination". Meaning, eliminate brute force ssh attacks as the source of "mysterious internet activity". I used tcpdump to collect a small amount of packets using tcpdump -c 50 port 22 -w /tmp/cap.pcap It is a small file and I hope it makes it through with this message. The OP can start wireshark and "open" this file to display what went on and compare it with what they may collect on their system. The first packet is the SYN packet from 139.199.228.133 (An IP address assigned to China). So, it confirms the start of the exchange comes from an external source. Packets 1~28 shows the failed exchange. Packet 29 is the start of another attempt from a different IP, 58.218.198.153, another IP from China. --- The key to getting good answers is to ask good questions.
Attachment:
cap.pcap
Description: application/vnd.tcpdump.pcap
_______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx