The network flow monitoring has evolved to collect information beyond the network and transport layers, most importantly the application layer information. This information is used to improve network security and performance by enabling more precise performance analysis and intrusion detection. In this paper, we contribute to this effort by extending flow monitoring with information from the SSH protocol. Firstly, we analyze the SSH protocol to determine which information can be obtained from the connection establishment phase. Based on the analysis, we create an extension to our flow monitoring infrastructure that allows obtaining the selected information. Lastly, we analyze the SSH connections observed in the university campus network and discuss the benefits of performing the detailed SSH protocol analysis. We argue that with a precise recognition of login attempt results it is possible to improve the detection of successful brute-force password attacks. Moreover, we publish an anonymized version of our dataset including the SSH specific information.