Provide steps on how to examine an SSH session with wireshark.

In Part 2, you will establish an SSH session with the localhost. Wireshark will be used to capture and
view the data of this SSH session.

a. Start another Wireshark capture.

b. You will establish an SSH session with the localhost. At the terminal prompt, enter ssh loc-
alhost. Enter yes to continue connecting. Enter the password cyberops when prompted.
```
[analyst@secOps ~]$ ssh localhost
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is SHA256:uLDhKZflmvsR8Et8jer1NuD91cGDS1mUl/p7VI3u6kI.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
analyst@localhost's password:
Last login: Sat Apr 29 00:04:21 2017 from localhost.localdomain
```
c. Stop the Wireshark capture.
d. Apply an SSH filter on the Wireshark capture data. Enter ssh in the filter field.
e. Right-click one of the SSHv2 lines in the Packet list section of Wireshark, and in the

drop-down list, select the Follow TCP Stream option.

f. Examine the Follow TCP Stream window of your SSH session. The data has been
encrypted and is unreadable. Compare the data in your SSH session to the data of your
Telnet session.
g. After examining your SSH session, click Close.
h. Close Wireshark.
Reflection
Why is SSH preferred over Telnet for remote connections?
Answers may vary.

Similar to Telnet, SSH is used to access and execute commands on a remote system. However, SSH pro-
tocol allows users to communicate with a remote system securely by encrypting the communications.

This prevents any sensitive information, such as usernames and passwords, from being captured during
the transmission.