Consider a scenario where we have received a PCAP file for analysis and some logs from a Linux server. By analyzing the file in Wireshark, we get the following packet data:

It looks like the data belongs to the Secure Shell (SSH), and, by browsing through the Statistics | Conversations in Wireshark, we get the following:

There are mainly two hosts present on the PCAP file, which are 192.168.153.130 and 192.168.153.141. We can see that the destination port is 22, which is a commonly used port for SSH. However, this doesn't look like a standard SSH connection, as the source port is different and are in plenty. Moreover, the port numbers are not from the well-known (1-1024) and registered set of ports (1024-41951). This behavior is quite common for a example for brute force attacks.

However, we are currently not sure. Let's scroll through the PCAP and investigate more, as follows:

Plenty of key exchanges are happening, as we can see from the preceding screenshot. However, there isn't a sure shot way to figure out whether the attacker succeeded in conducting a brute-force attack or not.