I. Introduction
The network flow monitoring [1] is being enhanced to observe and export application layer information. HTTP protocol related fields are even defined as standard IPFIX entities [2]. Although the increasing usage of encryption hinders this approach, it is possible to gain information even from the encrypted traffic [3], [4]. This paper focuses on the analysis of the Secure Shell (SSH) protocol [5], which is used for critical tasks such as server management and data transfer. To the best of our knowledge, this is the first work that studies the SSH protocol in the context of network flow monitoring.