PuTTY internals

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Perhaps someone knows this offhand: I've been analysing SSH traffic for
command line sessions and found that PuTTY appears to be sending each
keystroke twice. Does anyone know of a reason for this?

Eg, drawing a client packet as "*" and a server reply as "."
in OpenSSH,


and in PuTTY,


both while the same command was typed...


Brendan Gregg

[Sydney, Australia]

Re: PuTTY internals

Quoted text here. Click to load it

How have you been `analysing' the traffic? Just looking at the
encrypted data stream as it goes over the wire, or looking inside
the encryption somehow?

PuTTY can certainly be expected to send two SSH messages per
keystroke when you're typing a command at a command prompt: one is
the SSH_MSG_CHANNEL_DATA containing the character, and the other is
the SSH_MSG_CHANNEL_WINDOW_ADJUST acknowledging receipt of the
server data packet containing the echo. I would expect the server to
be sending the same two packets in response. However, the server
sends those two packets so close together in time that its TCP layer
may be clever enough to amalgamate them into a single TCP segment,
whereas PuTTY must send CHANNEL_DATA first and then WINDOW_ADJUST on
receiving the echoed character, and _then_ wait until the user types
the next character before sending a packet.

So if you're only looking at the number of TCP packets sent and have
no way of understanding their contents, then I think this is all
easily explained.

You might find PuTTY's SSH packet logging mode to be useful. This
will log the decrypted form of every SSH message to a file, and you
can match it up afterwards with the TCP packet logs. Together with
the SSH protocol drafts, this ought to give you a clear
understanding of what PuTTY is doing.
Simon Tatham         "The voices in my head are trying to ignore me.

Re: PuTTY internals


Thanks for your reply Simon! :)

On 5 May 2004, Simon Tatham wrote:

Quoted text here. Click to load it

Just looking at the encrypted data size and timing....
(something for http://www.brendangregg.com/chaosreader.html )

I can't look inside the encryption - I don't have super human eyeballs!

Quoted text here. Click to load it

Ahh - this is all very clear now. (and means I have a lot more work to
process this properly)..

Quoted text here. Click to load it

Sounds great.

BTW - PuTTY is fantastic!

thanks again,


[Sydney, Australia]

Site Timeline