Wireshark-bugs: [Wireshark-bugs] [Bug 8349] Wireshark writes names to NRB that do not appear in
Date: Thu, 04 Apr 2013 18:54:55 +0000

Comment # 7 on bug 8349 from
(In reply to comment #6)
> > That's too bad. Seems as if there is a need for a new fix, which would
> > remove any NRB entries for IPs that aren't in the frames being saved to disk.
> 
> Why would that be a requirement? I think it my be costly performance wise
> to match the name resolution table to IP addresses in the capture at save so
> if it's to be done there has to be a good reason.

Two reasons: Privacy and Confidentiality.

Let's say a user need to share a capture file containing a single packet in
order to get help with some troubleshooting. He captures traffic on his LAN and
filters out a single packet, which is saved to a new pcapng-file. This
PcapNG-file can, however, still contain several NRB entries for hosts that the
user didn't wanna reveal.

Here is a real-world example, where I was able to reveal the identity of an
"anonymous" user who had sniffed traffic from the Great Firewall of China:

http://www.netresec.com/?page=Blog&month=2013-02&post=Forensics-of-Chinese-MITM-on-GitHub


You are receiving this mail because:
  • You are watching all bug changes.