All; I'm working on an ssh honeypot to analyze botnets, and I'm trying to find the chunk of code that specifies the following (like in Kippo) TIMESTAMP [HoneyPotTransport,2522,XX.XX.XX.XX] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa TIMESTAMP [HoneyPotTransport,2522,XX.XX.XX.XX] outgoing: aes128-ctr hmac-sha1 none TIMESTAMP [HoneyPotTransport,2522,XX.XX.XX.XX] incoming: aes128-ctr hmac-sha1 none I was able to find the section in sshd.c where I can log the client name and port, and the section in auth.c where the password is cleartext, but I have no idea what I'm really looking for for finding the protocols. I honestly have no idea where I should really be looking. If somebody can point me in the right direction (or send a code fragment) I'd really appreciate it. I'll post a link back to the mailing list of where everyone else can find the completed code if I get some help. (BTW: It's live already at http://longtail.it.marist.edu and I've already found and/or analyzed 9 botnets. Having better information on who's attacking will make it easier I hope to bunch them all together). (And no, I'm not rising to the bait about tcpwrappers :-) It's decided and done.) >>>Ericw _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev