Man or Machine?

This one is simple. There's a pcap which contains 100 SSH connections.
Only 1 of the connections was human driven. The rest weren't. All we want to know is the source port number for that 1 connection. You ONLY have 2 attempts, so don't bruteforce guess!
All the connections used the same client, server, and configurations. If everything is the same and the payload contents are encrypted, what else could you compare?
Lets run the pcap through the ssh protocols
@load base/protocols/ssh
@load base/frameworks/notice
redef exit_only_after_terminate = F;
event zeek_init(){
├── 100-ssh.pcap
├── conn.log
├── main.zeek
├── packet_filter.log
└── ssh.log
Looking for interesting metrics in the log output. ssh.log doesn't show much. However in the conn.log we find the following line.
1580833725.124151 CgvmB23cju7ppajiwf 54712 22 tcp ssh 53.446830 7173 3274189 SF - - 0 ShAdDaFf 20466 1071413 34606 5073721 - 1:vp2K1lvIUDDpljQ8WIBn+8DF/Xs=
We find this entry had substantially more orig_ip_bytes
The solution