wireshark-users March 2010 archive
Main Archive Page > Month Archives  > wireshark-users archives
wireshark-users: Re: [Wireshark-users] from the past

Re: [Wireshark-users] from the past

From: M K <gedropi_at_nospam>
Date: Wed Mar 24 2010 - 20:29:47 GMT
To: Community support list for Wireshark <wireshark-users@wireshark.org>

The WS capture file does have time stamps. The etherXXXXa file lives
at: \Documents and Settings\Administrator\Local Settings\Temp within
Windows. This tmp file does not appear to have obvious timestamps.
Machine name, Administrator User name, packet source/dest and at
times, also the passwords to Windows and ISP.

On 3/24/10, Gianluca Varenni <gianluca.varenni@cacetech.com> wrote:
>
>
> --------------------------------------------------
> From: "M K" <gedropi@gmail.com>
> Sent: Wednesday, March 24, 2010 12:45 PM
> To: "Community support list for Wireshark" <wireshark-users@wireshark.org>
> Subject: Re: [Wireshark-users] from the past
>
>> Sorry. I got called away.
>>
>> The etherXXXX tmp file doesn't appear to have timestamps. But within
>
> If it's a valid capture file, the packets must have a timestamp, if you open
> the file with wireshark.
>
> GV
>
>
>> WS, the LLC (Layer 2) & PPP LCP protocols are the first protocols to
>> show up in the trace at the time the login info is captured inside the
>> tmp file.
>>
>> I suspect that this info is being passed to the tmp file. Possible
>> suspects: the OS or networking appliances.
>>
>> Yes, the interface is: Adapter for generic dialup and VPN
>>
>> And thanks for this feedback and help.
>>
>> On 3/24/10, Gianluca Varenni <gianluca.varenni@cacetech.com> wrote:
>>> You didn't answer my questions:
>>>
>>> 1. what is the timestamp of those packets?
>>> 2. what interface are you capturing from?
>>>
>>> Are capturing from what is called "Adapter for generic dialup and VPN
>>> capture"?
>>>
>>> Have a nice day
>>> GV
>>>
>>>
>>>
>>> --------------------------------------------------
>>> From: "M K" <gedropi@gmail.com>
>>> Sent: Wednesday, March 24, 2010 9:25 AM
>>> To: "Community support list for Wireshark"
>>> <wireshark-users@wireshark.org>
>>> Subject: Re: [Wireshark-users] from the past
>>>
>>>> That is exactly what I am doing. I log onto my Windows machine, then
>>>> my ISP, then my proxy. Then maybe go to a few websites, for example.
>>>> Then maybe after a half hour, I may then start up a WS capture.
>>>> Still, even after all that time between logons and actually starting a
>>>> capture, the etherXXXXa tmp file still contains this private info.
>>>>
>>>> According to Jeff, the etherXXXXa file only captures what is not
>>>> encrypted. That makes this even more scary. That means that not only
>>>> is the info being captured but it isn't even being protected by even
>>>> low-grade encryption.
>>>>
>>>> On 3/24/10, Gianluca Varenni <gianluca.varenni@cacetech.com> wrote:
>>>>>
>>>>>
>>>>> --------------------------------------------------
>>>>> From: "M K" <gedropi@gmail.com>
>>>>> Sent: Wednesday, March 24, 2010 9:11 AM
>>>>> To: "Community support list for Wireshark"
>>>>> <wireshark-users@wireshark.org>
>>>>> Subject: Re: [Wireshark-users] from the past
>>>>>
>>>>>> That is the question. I am saying that some program (?) is capturing
>>>>>> my unsaved login info. Then at a later point, when I start a WS
>>>>>> capture, that login info from the past is put into that EtherxXXXXa
>>>>>> tmp file.
>>>>>
>>>>> What happens if you log into your ISP and proxy, wait let's say 5
>>>>> minutes
>>>>> and then start wireshark? Do those packets still show up? what is their
>>>>> tiemstamp?
>>>>>
>>>>> GV
>>>>>
>>>>>>
>>>>>> On 3/24/10, Gianluca Varenni <gianluca.varenni@cacetech.com> wrote:
>>>>>>> Are you saying that when you start Wireshark, wireshark itself starts
>>>>>>> capturing, *before* you click the start capture button on it?
>>>>>>> Which adapter is wireshark capturing from?
>>>>>>>
>>>>>>>
>>>>>>> Have a nice day
>>>>>>> GV
>>>>>>>
>>>>>>>
>>>>>>> --------------------------------------------------
>>>>>>> From: "M K" <gedropi@gmail.com>
>>>>>>> Sent: Wednesday, March 24, 2010 8:12 AM
>>>>>>> To: <wireshark-users@wireshark.org>
>>>>>>> Subject: [Wireshark-users] from the past
>>>>>>>
>>>>>>>> Jeff Morriss suggested that I pose this question to you folks.
>>>>>>>>
>>>>>>>> Here is what I wrote:
>>>>>>>> First:
>>>>>>>> I first log onto Windows machine
>>>>>>>> I log onto my Isp
>>>>>>>> I log into my proxy
>>>>>>>> Maybe do a few things online (eg. go to a few websites)
>>>>>>>> Then log into Wireshark
>>>>>>>>
>>>>>>>> Next:
>>>>>>>> When launching WS, immediately the capture starts a DNS
>>>>>>>> authentication
>>>>>>>> trace
>>>>>>>> and an etherXXXXa* file with Windows & ISP usernames AND passwords
>>>>>>>> is
>>>>>>>> created.
>>>>>>>> Since I expect WS to be literal, I would expect that those actions
>>>>>>>> that
>>>>>>>> had
>>>>>>>> taken place in the past (logons & DNS authentication) would not be
>>>>>>>> captured
>>>>>>>> since WS had not been started when I logged on. That means that
>>>>>>>> this
>>>>>>>> information is being cached or worse somewhere. For my peace of
>>>>>>>> mind,
>>>>>>>> please
>>>>>>>> can you tell me about this security issue? Thank you.
>>>>>>>> ......................
>>>>>>>>
>>>>>>>> Here is what Jeff wrote:
>>>>>>>> Anyway, a brief answer: Wireshark on Windows relies on WinPCAP to do
>>>>>>>> the
>>>>>>>> capturing. I'm pretty sure WinPCAP won't start capturing until you
>>>>>>>> ask
>>>>>>>> it
>>>>>>>>
>>>>>>>> to
>>>>>>>> do so. And I'm pretty sure that the OS's TCP/IP stack isn't going
>>>>>>>> to
>>>>>>>> cache
>>>>>>>> stuff to give to WinPCAP after the fact.
>>>>>>>>
>>>>>>>> (BTW, the etherXXX file is just the temporary PCAP file that
>>>>>>>> contains
>>>>>>>> the
>>>>>>>> packets that were captured--and what Wireshark displays for you.
>>>>>>>> The
>>>>>>>> fact
>>>>>>>>
>>>>>>>> that
>>>>>>>> your password, etc., are in there just indicate that your password,
>>>>>>>> etc.,
>>>>>>>> were
>>>>>>>> sent over the wire unencrypted.)
>>>>>>>> ..............
>>>>>>>> What Jeff described is what I expected but I believe that I
>>>>>>>> understand
>>>>>>>> now what I am seeing. WS does its own DNS. So, that explains the
>>>>>>>> first question.
>>>>>>>>
>>>>>>>> The second issue, however, is still a big concern. The etherXXXXa
>>>>>>>> file always contains the complete (passwords included)
>>>>>>>> authentication
>>>>>>>> data plus more. Again, this unsaved (by me) login information was
>>>>>>>> sent over the wire in the past (PPP PAP), yet it is being saved (by
>>>>>>>> ?)
>>>>>>>> and put into this file in the present. How can I prevent this login
>>>>>>>> info from being saved? How can I encrypt this login info? This is a
>>>>>>>> security risk.
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> All that is necessary for evil to succeed is that good men do
>>>>>>>> nothing.
>>>>>>>>
>>>>>>>> ~Edmund Burke
>>>>>>>> ___________________________________________________________________________
>>>>>>>> Sent via: Wireshark-users mailing list
>>>>>>>> <wireshark-users@wireshark.org>
>>>>>>>> Archives: http://www.wireshark.org/lists/wireshark-users
>>>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>>>>>
>>>>>>>> mailto:wireshark-users-request@wireshark.org?subject=unsubscribe
>>>>>>>
>>>>>>> ___________________________________________________________________________
>>>>>>> Sent via: Wireshark-users mailing list
>>>>>>> <wireshark-users@wireshark.org>
>>>>>>> Archives: http://www.wireshark.org/lists/wireshark-users
>>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>>>>
>>>>>>> mailto:wireshark-users-request@wireshark.org?subject=unsubscribe
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> All that is necessary for evil to succeed is that good men do nothing.
>>>>>>
>>>>>> ~Edmund Burke
>>>>>> ___________________________________________________________________________
>>>>>> Sent via: Wireshark-users mailing list
>>>>>> <wireshark-users@wireshark.org>
>>>>>> Archives: http://www.wireshark.org/lists/wireshark-users
>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>>>
>>>>>> mailto:wireshark-users-request@wireshark.org?subject=unsubscribe
>>>>>
>>>>> ___________________________________________________________________________
>>>>> Sent via: Wireshark-users mailing list
>>>>> <wireshark-users@wireshark.org>
>>>>> Archives: http://www.wireshark.org/lists/wireshark-users
>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>>
>>>>> mailto:wireshark-users-request@wireshark.org?subject=unsubscribe
>>>>>
>>>>
>>>>
>>>> --
>>>> All that is necessary for evil to succeed is that good men do nothing.
>>>>
>>>> ~Edmund Burke
>>>> ___________________________________________________________________________
>>>> Sent via: Wireshark-users mailing list
>>>> <wireshark-users@wireshark.org>
>>>> Archives: http://www.wireshark.org/lists/wireshark-users
>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>
>>>> mailto:wireshark-users-request@wireshark.org?subject=unsubscribe
>>>
>>> ___________________________________________________________________________
>>> Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org>
>>> Archives: http://www.wireshark.org/lists/wireshark-users
>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>
>>> mailto:wireshark-users-request@wireshark.org?subject=unsubscribe
>>>
>>
>>
>> --
>> All that is necessary for evil to succeed is that good men do nothing.
>>
>> ~Edmund Burke
>> ___________________________________________________________________________
>> Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org>
>> Archives: http://www.wireshark.org/lists/wireshark-users
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>
>> mailto:wireshark-users-request@wireshark.org?subject=unsubscribe
>
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org>
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>
> mailto:wireshark-users-request@wireshark.org?subject=unsubscribe
>

-- All that is necessary for evil to succeed is that good men do nothing. ~Edmund Burke ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request@wireshark.org?subject=unsubscribe