wireshark-users March 2010 archive
Main Archive Page > Month Archives  > wireshark-users archives
wireshark-users: Re: [Wireshark-users] from the past

Re: [Wireshark-users] from the past

From: M K <gedropi_at_nospam>
Date: Wed Mar 24 2010 - 21:29:55 GMT
To: Community support list for Wireshark <wireshark-users@wireshark.org>

Closer to #2. The etherXXXX file is only created when I start a WS
capture. It is apparent to me now that this tmp file is pretty
identical to the capture inside WS. OK. But, I guess this exercise
still brings home the problem of who is (off and on) pulling my
password information, from where and where is it going? I know this
isn't a WS problem. WS was only doing its job.

About the transfer of authentication data, why isn't it encrypted?
What can I do to make this happen?

It doesn't do a lick of good to harden your computer if your
authentication data is all over the place in clear text.

Thanks

On 3/24/10, Gianluca Varenni <gianluca.varenni@cacetech.com> wrote:
> Now I'm a bit confused (I'm probably missing something here). In your
> original email you said
>
>>>>>>>>>>>> The second issue, however, is still a big concern. The
>>>>>>>>>>>> etherXXXXa
>>>>>>>>>>>> file always contains the complete (passwords included)
>>>>>>>>>>>> authentication
>>>>>>>>>>>> data plus more. Again, this unsaved (by me) login information
>>>>>>>>>>>> was
>>>>>>>>>>>> sent over the wire in the past (PPP PAP), yet it is being saved
>>>>>>>>>>>> (by
>>>>>>>>>>>> ?)
>>>>>>>>>>>> and put into this file in the present. How can I prevent this
>>>>>>>>>>>> login
>>>>>>>>>>>> info from being saved? How can I encrypt this login info? This
>>>>>>>>>>>> is
>>>>>>>>>>>>
>>>>>>>>>>>> a
>>>>>>>>>>>> security risk.
>
> I don't understand if
>
> 1. the file etherXXXX "magically" appears even when you do not start
> wireshark and you do not start a capture
>
> or
>
> 2. you do open wireshark and start a capture (in this case wireshark does
> create an etherXXXX file), and you see packets containing your username and
> password (and other sensitive data) that were exchanged with your ISP/proxy
> *well before* you started to capture with wireshark.
>
> Which one is the right one?
>
> GV
>
>
>
>
>
> --------------------------------------------------
> From: "M K" <gedropi@gmail.com>
> Sent: Wednesday, March 24, 2010 1:48 PM
> To: "Community support list for Wireshark" <wireshark-users@wireshark.org>
> Subject: Re: [Wireshark-users] from the past
>
>> The etherXXXX file is only a tmp file written in hex. I believe that
>> it would be impossible to open within WS because the only time the
>> ethernet file exists is when you are already in the middle of a
>> capture. And it vanishes when you stop the capture or shut down WS, I
>> believe. Opening another file while performing a capture is not
>> enabled. Unless if you had multiple instances of WS perhaps.
>>
>> On 3/24/10, Gianluca Varenni <gianluca.varenni@cacetech.com> wrote:
>>>
>>>
>>> --------------------------------------------------
>>> From: "M K" <gedropi@gmail.com>
>>> Sent: Wednesday, March 24, 2010 1:29 PM
>>> To: "Community support list for Wireshark"
>>> <wireshark-users@wireshark.org>
>>> Subject: Re: [Wireshark-users] from the past
>>>
>>>> The WS capture file does have time stamps. The etherXXXXa file lives
>>>> at: \Documents and Settings\Administrator\Local Settings\Temp within
>>>> Windows. This tmp file does not appear to have obvious timestamps.
>>>> Machine name, Administrator User name, packet source/dest and at
>>>> times, also the passwords to Windows and ISP.
>>>
>>> Wait... is this a pcap file or not? Can you open it with wireshark?
>>>
>>> Have a nice day
>>> GV
>>>
>>>
>>>>
>>>> On 3/24/10, Gianluca Varenni <gianluca.varenni@cacetech.com> wrote:
>>>>>
>>>>>
>>>>> --------------------------------------------------
>>>>> From: "M K" <gedropi@gmail.com>
>>>>> Sent: Wednesday, March 24, 2010 12:45 PM
>>>>> To: "Community support list for Wireshark"
>>>>> <wireshark-users@wireshark.org>
>>>>> Subject: Re: [Wireshark-users] from the past
>>>>>
>>>>>> Sorry. I got called away.
>>>>>>
>>>>>> The etherXXXX tmp file doesn't appear to have timestamps. But within
>>>>>
>>>>> If it's a valid capture file, the packets must have a timestamp, if you
>>>>> open
>>>>> the file with wireshark.
>>>>>
>>>>> GV
>>>>>
>>>>>
>>>>>> WS, the LLC (Layer 2) & PPP LCP protocols are the first protocols to
>>>>>> show up in the trace at the time the login info is captured inside the
>>>>>> tmp file.
>>>>>>
>>>>>> I suspect that this info is being passed to the tmp file. Possible
>>>>>> suspects: the OS or networking appliances.
>>>>>>
>>>>>> Yes, the interface is: Adapter for generic dialup and VPN
>>>>>>
>>>>>> And thanks for this feedback and help.
>>>>>>
>>>>>> On 3/24/10, Gianluca Varenni <gianluca.varenni@cacetech.com> wrote:
>>>>>>> You didn't answer my questions:
>>>>>>>
>>>>>>> 1. what is the timestamp of those packets?
>>>>>>> 2. what interface are you capturing from?
>>>>>>>
>>>>>>> Are capturing from what is called "Adapter for generic dialup and VPN
>>>>>>> capture"?
>>>>>>>
>>>>>>> Have a nice day
>>>>>>> GV
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --------------------------------------------------
>>>>>>> From: "M K" <gedropi@gmail.com>
>>>>>>> Sent: Wednesday, March 24, 2010 9:25 AM
>>>>>>> To: "Community support list for Wireshark"
>>>>>>> <wireshark-users@wireshark.org>
>>>>>>> Subject: Re: [Wireshark-users] from the past
>>>>>>>
>>>>>>>> That is exactly what I am doing. I log onto my Windows machine,
>>>>>>>> then
>>>>>>>> my ISP, then my proxy. Then maybe go to a few websites, for
>>>>>>>> example.
>>>>>>>> Then maybe after a half hour, I may then start up a WS capture.
>>>>>>>> Still, even after all that time between logons and actually starting
>>>>>>>>
>>>>>>>> a
>>>>>>>> capture, the etherXXXXa tmp file still contains this private info.
>>>>>>>>
>>>>>>>> According to Jeff, the etherXXXXa file only captures what is not
>>>>>>>> encrypted. That makes this even more scary. That means that not
>>>>>>>> only
>>>>>>>> is the info being captured but it isn't even being protected by even
>>>>>>>> low-grade encryption.
>>>>>>>>
>>>>>>>> On 3/24/10, Gianluca Varenni <gianluca.varenni@cacetech.com> wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --------------------------------------------------
>>>>>>>>> From: "M K" <gedropi@gmail.com>
>>>>>>>>> Sent: Wednesday, March 24, 2010 9:11 AM
>>>>>>>>> To: "Community support list for Wireshark"
>>>>>>>>> <wireshark-users@wireshark.org>
>>>>>>>>> Subject: Re: [Wireshark-users] from the past
>>>>>>>>>
>>>>>>>>>> That is the question. I am saying that some program (?) is
>>>>>>>>>> capturing
>>>>>>>>>> my unsaved login info. Then at a later point, when I start a WS
>>>>>>>>>> capture, that login info from the past is put into that
>>>>>>>>>> EtherxXXXXa
>>>>>>>>>> tmp file.
>>>>>>>>>
>>>>>>>>> What happens if you log into your ISP and proxy, wait let's say 5
>>>>>>>>> minutes
>>>>>>>>> and then start wireshark? Do those packets still show up? what is
>>>>>>>>> their
>>>>>>>>> tiemstamp?
>>>>>>>>>
>>>>>>>>> GV
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 3/24/10, Gianluca Varenni <gianluca.varenni@cacetech.com>
>>>>>>>>>> wrote:
>>>>>>>>>>> Are you saying that when you start Wireshark, wireshark itself
>>>>>>>>>>> starts
>>>>>>>>>>> capturing, *before* you click the start capture button on it?
>>>>>>>>>>> Which adapter is wireshark capturing from?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Have a nice day
>>>>>>>>>>> GV
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --------------------------------------------------
>>>>>>>>>>> From: "M K" <gedropi@gmail.com>
>>>>>>>>>>> Sent: Wednesday, March 24, 2010 8:12 AM
>>>>>>>>>>> To: <wireshark-users@wireshark.org>
>>>>>>>>>>> Subject: [Wireshark-users] from the past
>>>>>>>>>>>
>>>>>>>>>>>> Jeff Morriss suggested that I pose this question to you folks.
>>>>>>>>>>>>
>>>>>>>>>>>> Here is what I wrote:
>>>>>>>>>>>> First:
>>>>>>>>>>>> I first log onto Windows machine
>>>>>>>>>>>> I log onto my Isp
>>>>>>>>>>>> I log into my proxy
>>>>>>>>>>>> Maybe do a few things online (eg. go to a few websites)
>>>>>>>>>>>> Then log into Wireshark
>>>>>>>>>>>>
>>>>>>>>>>>> Next:
>>>>>>>>>>>> When launching WS, immediately the capture starts a DNS
>>>>>>>>>>>> authentication
>>>>>>>>>>>> trace
>>>>>>>>>>>> and an etherXXXXa* file with Windows & ISP usernames AND
>>>>>>>>>>>> passwords
>>>>>>>>>>>> is
>>>>>>>>>>>> created.
>>>>>>>>>>>> Since I expect WS to be literal, I would expect that those
>>>>>>>>>>>> actions
>>>>>>>>>>>> that
>>>>>>>>>>>> had
>>>>>>>>>>>> taken place in the past (logons & DNS authentication) would not
>>>>>>>>>>>> be
>>>>>>>>>>>> captured
>>>>>>>>>>>> since WS had not been started when I logged on. That means that
>>>>>>>>>>>> this
>>>>>>>>>>>> information is being cached or worse somewhere. For my peace of
>>>>>>>>>>>> mind,
>>>>>>>>>>>> please
>>>>>>>>>>>> can you tell me about this security issue? Thank you.
>>>>>>>>>>>> ......................
>>>>>>>>>>>>
>>>>>>>>>>>> Here is what Jeff wrote:
>>>>>>>>>>>> Anyway, a brief answer: Wireshark on Windows relies on WinPCAP
>>>>>>>>>>>> to
>>>>>>>>>>>> do
>>>>>>>>>>>> the
>>>>>>>>>>>> capturing. I'm pretty sure WinPCAP won't start capturing until
>>>>>>>>>>>> you
>>>>>>>>>>>> ask
>>>>>>>>>>>> it
>>>>>>>>>>>>
>>>>>>>>>>>> to
>>>>>>>>>>>> do so. And I'm pretty sure that the OS's TCP/IP stack isn't
>>>>>>>>>>>> going
>>>>>>>>>>>> to
>>>>>>>>>>>> cache
>>>>>>>>>>>> stuff to give to WinPCAP after the fact.
>>>>>>>>>>>>
>>>>>>>>>>>> (BTW, the etherXXX file is just the temporary PCAP file that
>>>>>>>>>>>> contains
>>>>>>>>>>>> the
>>>>>>>>>>>> packets that were captured--and what Wireshark displays for you.
>>>>>>>>>>>> The
>>>>>>>>>>>> fact
>>>>>>>>>>>>
>>>>>>>>>>>> that
>>>>>>>>>>>> your password, etc., are in there just indicate that your
>>>>>>>>>>>> password,
>>>>>>>>>>>> etc.,
>>>>>>>>>>>> were
>>>>>>>>>>>> sent over the wire unencrypted.)
>>>>>>>>>>>> ..............
>>>>>>>>>>>> What Jeff described is what I expected but I believe that I
>>>>>>>>>>>> understand
>>>>>>>>>>>> now what I am seeing. WS does its own DNS. So, that explains
>>>>>>>>>>>> the
>>>>>>>>>>>> first question.
>>>>>>>>>>>>
>>>>>>>>>>>> The second issue, however, is still a big concern. The
>>>>>>>>>>>> etherXXXXa
>>>>>>>>>>>> file always contains the complete (passwords included)
>>>>>>>>>>>> authentication
>>>>>>>>>>>> data plus more. Again, this unsaved (by me) login information
>>>>>>>>>>>> was
>>>>>>>>>>>> sent over the wire in the past (PPP PAP), yet it is being saved
>>>>>>>>>>>> (by
>>>>>>>>>>>> ?)
>>>>>>>>>>>> and put into this file in the present. How can I prevent this
>>>>>>>>>>>> login
>>>>>>>>>>>> info from being saved? How can I encrypt this login info? This
>>>>>>>>>>>> is
>>>>>>>>>>>>
>>>>>>>>>>>> a
>>>>>>>>>>>> security risk.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> All that is necessary for evil to succeed is that good men do
>>>>>>>>>>>> nothing.
>>>>>>>>>>>>
>>>>>>>>>>>> ~Edmund Burke
>>>>>>>>>>>> ___________________________________________________________________________
>>>>>>>>>>>> Sent via: Wireshark-users mailing list
>>>>>>>>>>>> <wireshark-users@wireshark.org>
>>>>>>>>>>>> Archives: http://www.wireshark.org/lists/wireshark-users
>>>>>>>>>>>> Unsubscribe:
>>>>>>>>>>>> https://wireshark.org/mailman/options/wireshark-users
>>>>>>>>>>>>
>>>>>>>>>>>> mailto:wireshark-users-request@wireshark.org?subject=unsubscribe
>>>>>>>>>>>
>>>>>>>>>>> ___________________________________________________________________________
>>>>>>>>>>> Sent via: Wireshark-users mailing list
>>>>>>>>>>> <wireshark-users@wireshark.org>
>>>>>>>>>>> Archives: http://www.wireshark.org/lists/wireshark-users
>>>>>>>>>>> Unsubscribe:
>>>>>>>>>>> https://wireshark.org/mailman/options/wireshark-users
>>>>>>>>>>>
>>>>>>>>>>> mailto:wireshark-users-request@wireshark.org?subject=unsubscribe
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> All that is necessary for evil to succeed is that good men do
>>>>>>>>>> nothing.
>>>>>>>>>>
>>>>>>>>>> ~Edmund Burke
>>>>>>>>>> ___________________________________________________________________________
>>>>>>>>>> Sent via: Wireshark-users mailing list
>>>>>>>>>> <wireshark-users@wireshark.org>
>>>>>>>>>> Archives: http://www.wireshark.org/lists/wireshark-users
>>>>>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>>>>>>>
>>>>>>>>>> mailto:wireshark-users-request@wireshark.org?subject=unsubscribe
>>>>>>>>>
>>>>>>>>> ___________________________________________________________________________
>>>>>>>>> Sent via: Wireshark-users mailing list
>>>>>>>>> <wireshark-users@wireshark.org>
>>>>>>>>> Archives: http://www.wireshark.org/lists/wireshark-users
>>>>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>>>>>>
>>>>>>>>> mailto:wireshark-users-request@wireshark.org?subject=unsubscribe
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> All that is necessary for evil to succeed is that good men do
>>>>>>>> nothing.
>>>>>>>>
>>>>>>>> ~Edmund Burke
>>>>>>>> ___________________________________________________________________________
>>>>>>>> Sent via: Wireshark-users mailing list
>>>>>>>> <wireshark-users@wireshark.org>
>>>>>>>> Archives: http://www.wireshark.org/lists/wireshark-users
>>>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>>>>>
>>>>>>>> mailto:wireshark-users-request@wireshark.org?subject=unsubscribe
>>>>>>>
>>>>>>> ___________________________________________________________________________
>>>>>>> Sent via: Wireshark-users mailing list
>>>>>>> <wireshark-users@wireshark.org>
>>>>>>> Archives: http://www.wireshark.org/lists/wireshark-users
>>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>>>>
>>>>>>> mailto:wireshark-users-request@wireshark.org?subject=unsubscribe
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> All that is necessary for evil to succeed is that good men do nothing.
>>>>>>
>>>>>> ~Edmund Burke
>>>>>> ___________________________________________________________________________
>>>>>> Sent via: Wireshark-users mailing list
>>>>>> <wireshark-users@wireshark.org>
>>>>>> Archives: http://www.wireshark.org/lists/wireshark-users
>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>>>
>>>>>> mailto:wireshark-users-request@wireshark.org?subject=unsubscribe
>>>>>
>>>>> ___________________________________________________________________________
>>>>> Sent via: Wireshark-users mailing list
>>>>> <wireshark-users@wireshark.org>
>>>>> Archives: http://www.wireshark.org/lists/wireshark-users
>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>>
>>>>> mailto:wireshark-users-request@wireshark.org?subject=unsubscribe
>>>>>
>>>>
>>>>
>>>> --
>>>> All that is necessary for evil to succeed is that good men do nothing.
>>>>
>>>> ~Edmund Burke
>>>> ___________________________________________________________________________
>>>> Sent via: Wireshark-users mailing list
>>>> <wireshark-users@wireshark.org>
>>>> Archives: http://www.wireshark.org/lists/wireshark-users
>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>
>>>> mailto:wireshark-users-request@wireshark.org?subject=unsubscribe
>>>
>>> ___________________________________________________________________________
>>> Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org>
>>> Archives: http://www.wireshark.org/lists/wireshark-users
>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>
>>> mailto:wireshark-users-request@wireshark.org?subject=unsubscribe
>>>
>>
>>
>> --
>> All that is necessary for evil to succeed is that good men do nothing.
>>
>> ~Edmund Burke
>> ___________________________________________________________________________
>> Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org>
>> Archives: http://www.wireshark.org/lists/wireshark-users
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>
>> mailto:wireshark-users-request@wireshark.org?subject=unsubscribe
>
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org>
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>
> mailto:wireshark-users-request@wireshark.org?subject=unsubscribe
>

-- All that is necessary for evil to succeed is that good men do nothing. ~Edmund Burke ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request@wireshark.org?subject=unsubscribe