That's likely an artifact of the client side I'd think. While not most of them, a significant portion of clients exhibited similar behaviour on mine. Disconnects before the handshake were quite common (due to simple port scanning), others seemed to perform the handshake for discovery without actually completing/attempting a login. I've chalked that up to things looking for vulnerable server versions (e.g. home routers).
About the only interesting thing I've seen on mine was login attempts using a single compromised key instead of the old brigade of admin/admin password attempts. Although I guess that might just be some known backdoor of some popular network equipment that I was not aware of at the time.
About the only interesting thing I've seen on mine was login attempts using a single compromised key instead of the old brigade of admin/admin password attempts. Although I guess that might just be some known backdoor of some popular network equipment that I was not aware of at the time.