The invention provides an SSH protocol-based session analysis method and system. The method includes the following steps that: step 101) data packets of an SSH protocol-based session are received, and the received data packets are processed as follows: when one data packet contains a plurality of complete messages, each complete message is extracted from the data packet sequentially, when messages contained in one data packet are incomplete messages, at first, the incomplete messages contained by the current data packet are cached, and then, subsequent data packets are received, and finally, the content of messages contained by the subsequent data packets and the cached messages are spliced until a complete message is obtained; and step 102) content related to generated logs is extracted from the obtained complete messages, and the content related to the generated logs is packaged according to a set format, and therefore, analyzed logs can be obtained, and session analysis can be completed. With the SSH protocol-based session analysis method and system of the invention adopted, the audit of SSH protocol-based sessions can be realized, and security guarantee can be provided for institutions such as banks.