Quartz wrote: > > ktrace and tcpdump. > > I should have mentioned that the laptop is using OpenSSH but it's OSX > not OpenBSD. ktrace was replaced with I think dtrace on OSX a while ago, > so I'll have to look into how to get that set up. > > As for tcpdump, I'm not sure what I'd be looking for there. Most of the > connection meat would be encrypted anyway though, wouldn't it?
more generally, see where it's stopping. the pattern of traffic should be roughly the same. two packets that way, one packet this way, etc. perhaps you can determine if the client is waiting for the server, or the server for the client, or if only packets of 1337 bytes cause trouble, etc. you have a scenario where sometimes it works and sometimes not, based on whether the normal introspection capabilities are used. so use a different set of inspection capabilities to find the difference.
