Wireshark-users: Re: [Wireshark-users] from the past
From: M K <gedropi@xxxxxxxxx>
Date: Wed, 24 Mar 2010 12:29:47 -0800
The WS capture file does have time stamps. The etherXXXXa file lives at: \Documents and Settings\Administrator\Local Settings\Temp within Windows. This tmp file does not appear to have obvious timestamps. Machine name, Administrator User name, packet source/dest and at times, also the passwords to Windows and ISP. On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote: > > > -------------------------------------------------- > From: "M K" <gedropi@xxxxxxxxx> > Sent: Wednesday, March 24, 2010 12:45 PM > To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx> > Subject: Re: [Wireshark-users] from the past > >> Sorry. I got called away. >> >> The etherXXXX tmp file doesn't appear to have timestamps. But within > > If it's a valid capture file, the packets must have a timestamp, if you open > the file with wireshark. > > GV > > >> WS, the LLC (Layer 2) & PPP LCP protocols are the first protocols to >> show up in the trace at the time the login info is captured inside the >> tmp file. >> >> I suspect that this info is being passed to the tmp file. Possible >> suspects: the OS or networking appliances. >> >> Yes, the interface is: Adapter for generic dialup and VPN >> >> And thanks for this feedback and help. >> >> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote: >>> You didn't answer my questions: >>> >>> 1. what is the timestamp of those packets? >>> 2. what interface are you capturing from? >>> >>> Are capturing from what is called "Adapter for generic dialup and VPN >>> capture"? >>> >>> Have a nice day >>> GV >>> >>> >>> >>> -------------------------------------------------- >>> From: "M K" <gedropi@xxxxxxxxx> >>> Sent: Wednesday, March 24, 2010 9:25 AM >>> To: "Community support list for Wireshark" >>> <wireshark-users@xxxxxxxxxxxxx> >>> Subject: Re: [Wireshark-users] from the past >>> >>>> That is exactly what I am doing. I log onto my Windows machine, then >>>> my ISP, then my proxy. Then maybe go to a few websites, for example. >>>> Then maybe after a half hour, I may then start up a WS capture. >>>> Still, even after all that time between logons and actually starting a >>>> capture, the etherXXXXa tmp file still contains this private info. >>>> >>>> According to Jeff, the etherXXXXa file only captures what is not >>>> encrypted. That makes this even more scary. That means that not only >>>> is the info being captured but it isn't even being protected by even >>>> low-grade encryption. >>>> >>>> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote: >>>>> >>>>> >>>>> -------------------------------------------------- >>>>> From: "M K" <gedropi@xxxxxxxxx> >>>>> Sent: Wednesday, March 24, 2010 9:11 AM >>>>> To: "Community support list for Wireshark" >>>>> <wireshark-users@xxxxxxxxxxxxx> >>>>> Subject: Re: [Wireshark-users] from the past >>>>> >>>>>> That is the question. I am saying that some program (?) is capturing >>>>>> my unsaved login info. Then at a later point, when I start a WS >>>>>> capture, that login info from the past is put into that EtherxXXXXa >>>>>> tmp file. >>>>> >>>>> What happens if you log into your ISP and proxy, wait let's say 5 >>>>> minutes >>>>> and then start wireshark? Do those packets still show up? what is their >>>>> tiemstamp? >>>>> >>>>> GV >>>>> >>>>>> >>>>>> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote: >>>>>>> Are you saying that when you start Wireshark, wireshark itself starts >>>>>>> capturing, *before* you click the start capture button on it? >>>>>>> Which adapter is wireshark capturing from? >>>>>>> >>>>>>> >>>>>>> Have a nice day >>>>>>> GV >>>>>>> >>>>>>> >>>>>>> -------------------------------------------------- >>>>>>> From: "M K" <gedropi@xxxxxxxxx> >>>>>>> Sent: Wednesday, March 24, 2010 8:12 AM >>>>>>> To: <wireshark-users@xxxxxxxxxxxxx> >>>>>>> Subject: [Wireshark-users] from the past >>>>>>> >>>>>>>> Jeff Morriss suggested that I pose this question to you folks. >>>>>>>> >>>>>>>> Here is what I wrote: >>>>>>>> First: >>>>>>>> I first log onto Windows machine >>>>>>>> I log onto my Isp >>>>>>>> I log into my proxy >>>>>>>> Maybe do a few things online (eg. go to a few websites) >>>>>>>> Then log into Wireshark >>>>>>>> >>>>>>>> Next: >>>>>>>> When launching WS, immediately the capture starts a DNS >>>>>>>> authentication >>>>>>>> trace >>>>>>>> and an etherXXXXa* file with Windows & ISP usernames AND passwords >>>>>>>> is >>>>>>>> created. >>>>>>>> Since I expect WS to be literal, I would expect that those actions >>>>>>>> that >>>>>>>> had >>>>>>>> taken place in the past (logons & DNS authentication) would not be >>>>>>>> captured >>>>>>>> since WS had not been started when I logged on. That means that >>>>>>>> this >>>>>>>> information is being cached or worse somewhere. For my peace of >>>>>>>> mind, >>>>>>>> please >>>>>>>> can you tell me about this security issue? Thank you. >>>>>>>> ...................... >>>>>>>> >>>>>>>> Here is what Jeff wrote: >>>>>>>> Anyway, a brief answer: Wireshark on Windows relies on WinPCAP to do >>>>>>>> the >>>>>>>> capturing. I'm pretty sure WinPCAP won't start capturing until you >>>>>>>> ask >>>>>>>> it >>>>>>>> >>>>>>>> to >>>>>>>> do so. And I'm pretty sure that the OS's TCP/IP stack isn't going >>>>>>>> to >>>>>>>> cache >>>>>>>> stuff to give to WinPCAP after the fact. >>>>>>>> >>>>>>>> (BTW, the etherXXX file is just the temporary PCAP file that >>>>>>>> contains >>>>>>>> the >>>>>>>> packets that were captured--and what Wireshark displays for you. >>>>>>>> The >>>>>>>> fact >>>>>>>> >>>>>>>> that >>>>>>>> your password, etc., are in there just indicate that your password, >>>>>>>> etc., >>>>>>>> were >>>>>>>> sent over the wire unencrypted.) >>>>>>>> .............. >>>>>>>> What Jeff described is what I expected but I believe that I >>>>>>>> understand >>>>>>>> now what I am seeing. WS does its own DNS. So, that explains the >>>>>>>> first question. >>>>>>>> >>>>>>>> The second issue, however, is still a big concern. The etherXXXXa >>>>>>>> file always contains the complete (passwords included) >>>>>>>> authentication >>>>>>>> data plus more. Again, this unsaved (by me) login information was >>>>>>>> sent over the wire in the past (PPP PAP), yet it is being saved (by >>>>>>>> ?) >>>>>>>> and put into this file in the present. How can I prevent this login >>>>>>>> info from being saved? How can I encrypt this login info? This is a >>>>>>>> security risk. >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> All that is necessary for evil to succeed is that good men do >>>>>>>> nothing. >>>>>>>> >>>>>>>> ~Edmund Burke >>>>>>>> ___________________________________________________________________________ >>>>>>>> Sent via: Wireshark-users mailing list >>>>>>>> <wireshark-users@xxxxxxxxxxxxx> >>>>>>>> Archives: http://www.wireshark.org/lists/wireshark-users >>>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >>>>>>>> >>>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >>>>>>> >>>>>>> ___________________________________________________________________________ >>>>>>> Sent via: Wireshark-users mailing list >>>>>>> <wireshark-users@xxxxxxxxxxxxx> >>>>>>> Archives: http://www.wireshark.org/lists/wireshark-users >>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >>>>>>> >>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> All that is necessary for evil to succeed is that good men do nothing. >>>>>> >>>>>> ~Edmund Burke >>>>>> ___________________________________________________________________________ >>>>>> Sent via: Wireshark-users mailing list >>>>>> <wireshark-users@xxxxxxxxxxxxx> >>>>>> Archives: http://www.wireshark.org/lists/wireshark-users >>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >>>>>> >>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >>>>> >>>>> ___________________________________________________________________________ >>>>> Sent via: Wireshark-users mailing list >>>>> <wireshark-users@xxxxxxxxxxxxx> >>>>> Archives: http://www.wireshark.org/lists/wireshark-users >>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >>>>> >>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >>>>> >>>> >>>> >>>> -- >>>> All that is necessary for evil to succeed is that good men do nothing. >>>> >>>> ~Edmund Burke >>>> ___________________________________________________________________________ >>>> Sent via: Wireshark-users mailing list >>>> <wireshark-users@xxxxxxxxxxxxx> >>>> Archives: http://www.wireshark.org/lists/wireshark-users >>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >>>> >>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >>> >>> ___________________________________________________________________________ >>> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> >>> Archives: http://www.wireshark.org/lists/wireshark-users >>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >>> >>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >>> >> >> >> -- >> All that is necessary for evil to succeed is that good men do nothing. >> >> ~Edmund Burke >> ___________________________________________________________________________ >> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> >> Archives: http://www.wireshark.org/lists/wireshark-users >> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >> >> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe > > ___________________________________________________________________________ > Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> > Archives: http://www.wireshark.org/lists/wireshark-users > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users > > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe > -- All that is necessary for evil to succeed is that good men do nothing. ~Edmund Burke
- Follow-Ups:
- Re: [Wireshark-users] from the past
- From: Gianluca Varenni
- Re: [Wireshark-users] from the past
- From: Guy Harris
- Re: [Wireshark-users] from the past
- References:
- [Wireshark-users] from the past
- From: M K
- Re: [Wireshark-users] from the past
- From: Gianluca Varenni
- Re: [Wireshark-users] from the past
- From: M K
- Re: [Wireshark-users] from the past
- From: Gianluca Varenni
- Re: [Wireshark-users] from the past
- From: M K
- Re: [Wireshark-users] from the past
- From: Gianluca Varenni
- Re: [Wireshark-users] from the past
- From: M K
- Re: [Wireshark-users] from the past
- From: Gianluca Varenni
- [Wireshark-users] from the past
- Prev by Date: Re: [Wireshark-users] from the past
- Next by Date: Re: [Wireshark-users] from the past
- Previous by thread: Re: [Wireshark-users] from the past
- Next by thread: Re: [Wireshark-users] from the past
- Index(es):