Wireshark-users: Re: [Wireshark-users] from the past
From: M K <gedropi@xxxxxxxxx>
Date: Wed, 24 Mar 2010 12:38:55 -0800
Nothing looks odd within the WS capture itself.  Just your basic LLC &
PPP LCP from my vantage point (my machine -inside the LAN gateway).
That is probably the point.  If I had visibility to the bigger picture
and what is actually happening on the routers and switches in the WAN,
I would probably have an AHAH moment.

In the tmp file, one sees a lot of hex.

And yes, I expect that WS is just taking what it is given.

On 3/24/10, bart sikkes <b.sikkes@xxxxxxxxx> wrote:
> hi,
>
> can you show us the capture? a screenshot with the actual username /
> password removed or such?
>
> i expect it just being a reauthentication action or something like
> that. wireshark just captures what is transmitted so something is
> transmitting this at the moment of capturing. a lot more happens below
> the surface then one initially suspects (and many things will be send
> plain text). the fact it ends up in the file is because that is how
> wireshark usually works.
>
> good luck finding it,
> bart
>
> On Wed, Mar 24, 2010 at 8:58 PM, Gianluca Varenni
> <gianluca.varenni@xxxxxxxxxxxx> wrote:
>>
>>
>> --------------------------------------------------
>> From: "M K" <gedropi@xxxxxxxxx>
>> Sent: Wednesday, March 24, 2010 12:45 PM
>> To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
>> Subject: Re: [Wireshark-users] from the past
>>
>>> Sorry.  I got called away.
>>>
>>> The etherXXXX tmp file doesn't appear to have timestamps.  But within
>>
>> If it's a valid capture file, the packets must have a timestamp, if you
>> open
>> the file with wireshark.
>>
>> GV
>>
>>
>>> WS, the LLC (Layer 2) & PPP LCP protocols are the first protocols to
>>> show up in the trace at the time the login info is captured inside the
>>> tmp file.
>>>
>>> I suspect that this info is being passed to the tmp file.  Possible
>>> suspects: the OS or networking appliances.
>>>
>>> Yes, the interface is:  Adapter for generic dialup and VPN
>>>
>>> And thanks for this feedback and help.
>>>
>>> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote:
>>>> You didn't answer my questions:
>>>>
>>>> 1. what is the timestamp of those packets?
>>>> 2. what interface are you capturing from?
>>>>
>>>> Are capturing from what is called "Adapter for generic dialup and VPN
>>>> capture"?
>>>>
>>>> Have a nice day
>>>> GV
>>>>
>>>>
>>>>
>>>> --------------------------------------------------
>>>> From: "M K" <gedropi@xxxxxxxxx>
>>>> Sent: Wednesday, March 24, 2010 9:25 AM
>>>> To: "Community support list for Wireshark"
>>>> <wireshark-users@xxxxxxxxxxxxx>
>>>> Subject: Re: [Wireshark-users] from the past
>>>>
>>>>> That is exactly what I am doing.  I log onto my Windows machine, then
>>>>> my ISP, then my proxy.  Then maybe go to a few websites, for example.
>>>>> Then maybe after a half hour, I may then start up a WS capture.
>>>>> Still, even after all that time between logons and actually starting a
>>>>> capture, the etherXXXXa tmp file still contains this private info.
>>>>>
>>>>> According to Jeff, the etherXXXXa file only captures what is not
>>>>> encrypted.  That makes this even more scary.  That means that not only
>>>>> is the info being captured but it isn't even being protected by even
>>>>> low-grade encryption.
>>>>>
>>>>> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote:
>>>>>>
>>>>>>
>>>>>> --------------------------------------------------
>>>>>> From: "M K" <gedropi@xxxxxxxxx>
>>>>>> Sent: Wednesday, March 24, 2010 9:11 AM
>>>>>> To: "Community support list for Wireshark"
>>>>>> <wireshark-users@xxxxxxxxxxxxx>
>>>>>> Subject: Re: [Wireshark-users] from the past
>>>>>>
>>>>>>> That is the question.  I am saying that some program (?) is capturing
>>>>>>> my unsaved login info.  Then at a later point, when I start a WS
>>>>>>> capture, that login info from the past is put into that EtherxXXXXa
>>>>>>> tmp file.
>>>>>>
>>>>>> What happens if you log into your ISP and proxy, wait let's say 5
>>>>>> minutes
>>>>>> and then start wireshark? Do those packets still show up? what is
>>>>>> their
>>>>>> tiemstamp?
>>>>>>
>>>>>> GV
>>>>>>
>>>>>>>
>>>>>>> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote:
>>>>>>>> Are you saying that when you start Wireshark, wireshark itself
>>>>>>>> starts
>>>>>>>> capturing, *before* you click the start capture button on it?
>>>>>>>> Which adapter is wireshark capturing from?
>>>>>>>>
>>>>>>>>
>>>>>>>> Have a nice day
>>>>>>>> GV
>>>>>>>>
>>>>>>>>
>>>>>>>> --------------------------------------------------
>>>>>>>> From: "M K" <gedropi@xxxxxxxxx>
>>>>>>>> Sent: Wednesday, March 24, 2010 8:12 AM
>>>>>>>> To: <wireshark-users@xxxxxxxxxxxxx>
>>>>>>>> Subject: [Wireshark-users] from the past
>>>>>>>>
>>>>>>>>> Jeff Morriss suggested that I pose this question to you folks.
>>>>>>>>>
>>>>>>>>> Here is what I wrote:
>>>>>>>>> First:
>>>>>>>>> I first log onto Windows machine
>>>>>>>>> I log onto my Isp
>>>>>>>>> I log into my proxy
>>>>>>>>> Maybe do a few things online (eg. go to a few websites)
>>>>>>>>> Then log into Wireshark
>>>>>>>>>
>>>>>>>>> Next:
>>>>>>>>> When launching WS, immediately the capture starts a DNS
>>>>>>>>> authentication
>>>>>>>>> trace
>>>>>>>>> and an etherXXXXa* file with Windows & ISP usernames AND passwords
>>>>>>>>> is
>>>>>>>>> created.
>>>>>>>>> Since I expect WS to be literal, I would expect that those actions
>>>>>>>>> that
>>>>>>>>> had
>>>>>>>>> taken place in the past (logons & DNS authentication) would not be
>>>>>>>>> captured
>>>>>>>>> since WS had not been started when I logged on.  That means that
>>>>>>>>> this
>>>>>>>>> information is being cached or worse somewhere.  For my peace of
>>>>>>>>> mind,
>>>>>>>>> please
>>>>>>>>> can you tell me about this security issue?  Thank you.
>>>>>>>>> ......................
>>>>>>>>>
>>>>>>>>> Here is what Jeff wrote:
>>>>>>>>> Anyway, a brief answer: Wireshark on Windows relies on WinPCAP to
>>>>>>>>> do
>>>>>>>>> the
>>>>>>>>> capturing.  I'm pretty sure WinPCAP won't start capturing until you
>>>>>>>>> ask
>>>>>>>>> it
>>>>>>>>>
>>>>>>>>> to
>>>>>>>>> do so.  And I'm pretty sure that the OS's TCP/IP stack isn't going
>>>>>>>>> to
>>>>>>>>> cache
>>>>>>>>> stuff to give to WinPCAP after the fact.
>>>>>>>>>
>>>>>>>>> (BTW, the etherXXX file is just the temporary PCAP file that
>>>>>>>>> contains
>>>>>>>>> the
>>>>>>>>> packets that were captured--and what Wireshark displays for you.
>>>>>>>>> The
>>>>>>>>> fact
>>>>>>>>>
>>>>>>>>> that
>>>>>>>>> your password, etc., are in there just indicate that your password,
>>>>>>>>> etc.,
>>>>>>>>> were
>>>>>>>>> sent over the wire unencrypted.)
>>>>>>>>> ..............
>>>>>>>>> What Jeff described is what I expected but I believe that I
>>>>>>>>> understand
>>>>>>>>> now what I am seeing.  WS does its own DNS.  So, that explains the
>>>>>>>>> first question.
>>>>>>>>>
>>>>>>>>> The second issue, however, is still a big concern.  The etherXXXXa
>>>>>>>>> file always contains the complete (passwords included)
>>>>>>>>> authentication
>>>>>>>>> data plus more.  Again, this unsaved (by me) login information was
>>>>>>>>> sent over the wire in the past (PPP PAP), yet it is being saved (by
>>>>>>>>> ?)
>>>>>>>>> and put into this file in the present. How can I prevent this login
>>>>>>>>> info from being saved?  How can I encrypt this login info? This is
>>>>>>>>> a
>>>>>>>>> security risk.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> All that is necessary for evil to succeed is that good men do
>>>>>>>>> nothing.
>>>>>>>>>
>>>>>>>>>              ~Edmund Burke
>>>>>>>>> ___________________________________________________________________________
>>>>>>>>> Sent via:    Wireshark-users mailing list
>>>>>>>>> <wireshark-users@xxxxxxxxxxxxx>
>>>>>>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>>>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>>>>>>
>>>>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>>>>>>
>>>>>>>> ___________________________________________________________________________
>>>>>>>> Sent via:    Wireshark-users mailing list
>>>>>>>> <wireshark-users@xxxxxxxxxxxxx>
>>>>>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>>>>>
>>>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> All that is necessary for evil to succeed is that good men do
>>>>>>> nothing.
>>>>>>>
>>>>>>>              ~Edmund Burke
>>>>>>> ___________________________________________________________________________
>>>>>>> Sent via:    Wireshark-users mailing list
>>>>>>> <wireshark-users@xxxxxxxxxxxxx>
>>>>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>>>>
>>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>>>>
>>>>>> ___________________________________________________________________________
>>>>>> Sent via:    Wireshark-users mailing list
>>>>>> <wireshark-users@xxxxxxxxxxxxx>
>>>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>>>
>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> All that is necessary for evil to succeed is that good men do nothing.
>>>>>
>>>>>              ~Edmund Burke
>>>>> ___________________________________________________________________________
>>>>> Sent via:    Wireshark-users mailing list
>>>>> <wireshark-users@xxxxxxxxxxxxx>
>>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>>
>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>>
>>>> ___________________________________________________________________________
>>>> Sent via:    Wireshark-users mailing list
>>>> <wireshark-users@xxxxxxxxxxxxx>
>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>
>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>>
>>>
>>>
>>> --
>>> All that is necessary for evil to succeed is that good men do nothing.
>>>
>>>              ~Edmund Burke
>>> ___________________________________________________________________________
>>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>
>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>
>> ___________________________________________________________________________
>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>> Archives:    http://www.wireshark.org/lists/wireshark-users
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>
>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>


-- 
All that is necessary for evil to succeed is that good men do nothing.

              ~Edmund Burke