Wireshark-users: Re: [Wireshark-users] from the past
From: "Gianluca Varenni" <gianluca.varenni@xxxxxxxxxxxx>
Date: Wed, 24 Mar 2010 13:35:49 -0700
-------------------------------------------------- From: "M K" <gedropi@xxxxxxxxx> Sent: Wednesday, March 24, 2010 1:29 PM To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx> Subject: Re: [Wireshark-users] from the past
The WS capture file does have time stamps. The etherXXXXa file lives at: \Documents and Settings\Administrator\Local Settings\Temp within Windows. This tmp file does not appear to have obvious timestamps. Machine name, Administrator User name, packet source/dest and at times, also the passwords to Windows and ISP.
Wait... is this a pcap file or not? Can you open it with wireshark? Have a nice day GV
On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote:-------------------------------------------------- From: "M K" <gedropi@xxxxxxxxx> Sent: Wednesday, March 24, 2010 12:45 PMTo: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>Subject: Re: [Wireshark-users] from the pastSorry. I got called away. The etherXXXX tmp file doesn't appear to have timestamps. But withinIf it's a valid capture file, the packets must have a timestamp, if you openthe file with wireshark. GVWS, the LLC (Layer 2) & PPP LCP protocols are the first protocols to show up in the trace at the time the login info is captured inside the tmp file. I suspect that this info is being passed to the tmp file. Possible suspects: the OS or networking appliances. Yes, the interface is: Adapter for generic dialup and VPN And thanks for this feedback and help. On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote:You didn't answer my questions: 1. what is the timestamp of those packets? 2. what interface are you capturing from? Are capturing from what is called "Adapter for generic dialup and VPN capture"? Have a nice day GV -------------------------------------------------- From: "M K" <gedropi@xxxxxxxxx> Sent: Wednesday, March 24, 2010 9:25 AM To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx> Subject: Re: [Wireshark-users] from the pastThat is exactly what I am doing. I log onto my Windows machine, then my ISP, then my proxy. Then maybe go to a few websites, for example. Then maybe after a half hour, I may then start up a WS capture. Still, even after all that time between logons and actually starting a capture, the etherXXXXa tmp file still contains this private info. According to Jeff, the etherXXXXa file only captures what is not encrypted. That makes this even more scary. That means that not only is the info being captured but it isn't even being protected by even low-grade encryption. On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote:-------------------------------------------------- From: "M K" <gedropi@xxxxxxxxx> Sent: Wednesday, March 24, 2010 9:11 AM To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx> Subject: Re: [Wireshark-users] from the pastThat is the question. I am saying that some program (?) is capturingmy unsaved login info. Then at a later point, when I start a WS capture, that login info from the past is put into that EtherxXXXXa tmp file.What happens if you log into your ISP and proxy, wait let's say 5 minutesand then start wireshark? Do those packets still show up? what is theirtiemstamp? GVOn 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote:Are you saying that when you start Wireshark, wireshark itself startscapturing, *before* you click the start capture button on it? Which adapter is wireshark capturing from? Have a nice day GV -------------------------------------------------- From: "M K" <gedropi@xxxxxxxxx> Sent: Wednesday, March 24, 2010 8:12 AM To: <wireshark-users@xxxxxxxxxxxxx> Subject: [Wireshark-users] from the pastJeff Morriss suggested that I pose this question to you folks. Here is what I wrote: First: I first log onto Windows machine I log onto my Isp I log into my proxy Maybe do a few things online (eg. go to a few websites) Then log into Wireshark Next: When launching WS, immediately the capture starts a DNS authentication trace and an etherXXXXa* file with Windows & ISP usernames AND passwords is created. Since I expect WS to be literal, I would expect that those actions that had taken place in the past (logons & DNS authentication) would not be captured since WS had not been started when I logged on. That means that this information is being cached or worse somewhere. For my peace of mind, please can you tell me about this security issue? Thank you. ...................... Here is what Jeff wrote:Anyway, a brief answer: Wireshark on Windows relies on WinPCAP to dothecapturing. I'm pretty sure WinPCAP won't start capturing until youask it to do so. And I'm pretty sure that the OS's TCP/IP stack isn't going to cache stuff to give to WinPCAP after the fact. (BTW, the etherXXX file is just the temporary PCAP file that contains the packets that were captured--and what Wireshark displays for you. The fact thatyour password, etc., are in there just indicate that your password,etc., were sent over the wire unencrypted.) .............. What Jeff described is what I expected but I believe that I understand now what I am seeing. WS does its own DNS. So, that explains the first question. The second issue, however, is still a big concern. The etherXXXXa file always contains the complete (passwords included) authentication data plus more. Again, this unsaved (by me) login information wassent over the wire in the past (PPP PAP), yet it is being saved (by?)and put into this file in the present. How can I prevent this login info from being saved? How can I encrypt this login info? This is asecurity risk. -- All that is necessary for evil to succeed is that good men do nothing. ~Edmund Burke ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe--All that is necessary for evil to succeed is that good men do nothing.~Edmund Burke ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe-- All that is necessary for evil to succeed is that good men do nothing. ~Edmund Burke ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe___________________________________________________________________________Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe-- All that is necessary for evil to succeed is that good men do nothing. ~Edmund Burke ___________________________________________________________________________Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe-- All that is necessary for evil to succeed is that good men do nothing. ~Edmund Burke ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-usersmailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
- Follow-Ups:
- Re: [Wireshark-users] from the past
- From: M K
- Re: [Wireshark-users] from the past
- References:
- [Wireshark-users] from the past
- From: M K
- Re: [Wireshark-users] from the past
- From: Gianluca Varenni
- Re: [Wireshark-users] from the past
- From: M K
- Re: [Wireshark-users] from the past
- From: Gianluca Varenni
- Re: [Wireshark-users] from the past
- From: M K
- Re: [Wireshark-users] from the past
- From: Gianluca Varenni
- Re: [Wireshark-users] from the past
- From: M K
- Re: [Wireshark-users] from the past
- From: Gianluca Varenni
- Re: [Wireshark-users] from the past
- From: M K
- [Wireshark-users] from the past
- Prev by Date: Re: [Wireshark-users] from the past
- Next by Date: Re: [Wireshark-users] from the past
- Previous by thread: Re: [Wireshark-users] from the past
- Next by thread: Re: [Wireshark-users] from the past
- Index(es):