SSH & DNS analysis

Wireshark Packet Capture screen

In a related analysis, I opened a .pcap file and noticed several SSH encrypted packets exchanged between a VM (172.21.224.2) and a remote IP (35.235.244.34), alongside various DNS queries to opensource.google.com.

There are some notable details we can take from this:

• Multiple TCP ACK and encrypted packets over SSH (port 22) confirm active sessions.
• DNS queries to both IPv4 and IPv6 addresses, including responses resolving to Google’s infrastructure (e.g. 142.250.1.139), show domain resolution working normally.
• Payloads are unreadable because of the encryption, but TCP flags and sequence numbers are still visible, which is enough to correlate traffic flows even when the contents are opaque.

This is what a quiet system looks like at the packet level: DNS lookups, encrypted SSH sessions, ordinary TCP behaviour. That baseline is the thing to know before anything else, because anomaly detection is just “compare to baseline” in different clothes.