--- On Thu, 7/16/09, Gary Huntress <gary.huntress@xxxxxxxxx> wrote: > > What I would like to know is, how is the tunnel > detected? I've > always assumed that once my ssh session is made that every > packet > would be completely encrypted, even the headers of the > tunneled > packets. So even if the tunnel used GRE (or whatever) > it would be > encrypted too. Clearly that's not the > case. > > So, how is my tunnel detected? And no I'm > not going to keep trying, > this is a fireable offense! > > Gary H. The tunnel will be visible netstat and/or lsof on the ssh server. With netsat, you won't see who is tunneling. But with lsof it would show up: root@thug:/home/user01# lsof -ni |grep 11111 sshd 21716 user01 10u IPv4 16978115 TCP 10.26.0.111:38272->10.26.0.211:11111 (ESTABLISHED) root@thug:/home/user01# netstat -an |grep 11111 tcp 0 0 10.26.0.111:38272 10.26.0.211:11111 ESTABLISHED If it's not permitted, why don't they simply deny it in sshd_config ? #AllowTcpForwarding no