Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: from the past

From: bart sikkes <b.sikkes () gmail com>
Date: Wed, 24 Mar 2010 21:25:48 +0100
hi,

can you show us the capture? a screenshot with the actual username /
password removed or such?

i expect it just being a reauthentication action or something like
that. wireshark just captures what is transmitted so something is
transmitting this at the moment of capturing. a lot more happens below
the surface then one initially suspects (and many things will be send
plain text). the fact it ends up in the file is because that is how
wireshark usually works.

good luck finding it,
bart

On Wed, Mar 24, 2010 at 8:58 PM, Gianluca Varenni
<gianluca.varenni () cacetech com> wrote:



--------------------------------------------------
From: "M K" <gedropi () gmail com>
Sent: Wednesday, March 24, 2010 12:45 PM
To: "Community support list for Wireshark" <wireshark-users () wireshark org>
Subject: Re: [Wireshark-users] from the past


Sorry.  I got called away.

The etherXXXX tmp file doesn't appear to have timestamps.  But within


If it's a valid capture file, the packets must have a timestamp, if you open
the file with wireshark.

GV



WS, the LLC (Layer 2) & PPP LCP protocols are the first protocols to
show up in the trace at the time the login info is captured inside the
tmp file.

I suspect that this info is being passed to the tmp file.  Possible
suspects: the OS or networking appliances.

Yes, the interface is:  Adapter for generic dialup and VPN

And thanks for this feedback and help.

On 3/24/10, Gianluca Varenni <gianluca.varenni () cacetech com> wrote:

You didn't answer my questions:

1. what is the timestamp of those packets?
2. what interface are you capturing from?

Are capturing from what is called "Adapter for generic dialup and VPN
capture"?

Have a nice day
GV



--------------------------------------------------
From: "M K" <gedropi () gmail com>
Sent: Wednesday, March 24, 2010 9:25 AM
To: "Community support list for Wireshark"
<wireshark-users () wireshark org>
Subject: Re: [Wireshark-users] from the past


That is exactly what I am doing.  I log onto my Windows machine, then
my ISP, then my proxy.  Then maybe go to a few websites, for example.
Then maybe after a half hour, I may then start up a WS capture.
Still, even after all that time between logons and actually starting a
capture, the etherXXXXa tmp file still contains this private info.

According to Jeff, the etherXXXXa file only captures what is not
encrypted.  That makes this even more scary.  That means that not only
is the info being captured but it isn't even being protected by even
low-grade encryption.

On 3/24/10, Gianluca Varenni <gianluca.varenni () cacetech com> wrote:



--------------------------------------------------
From: "M K" <gedropi () gmail com>
Sent: Wednesday, March 24, 2010 9:11 AM
To: "Community support list for Wireshark"
<wireshark-users () wireshark org>
Subject: Re: [Wireshark-users] from the past


That is the question.  I am saying that some program (?) is capturing
my unsaved login info.  Then at a later point, when I start a WS
capture, that login info from the past is put into that EtherxXXXXa
tmp file.


What happens if you log into your ISP and proxy, wait let's say 5
minutes
and then start wireshark? Do those packets still show up? what is their
tiemstamp?

GV



On 3/24/10, Gianluca Varenni <gianluca.varenni () cacetech com> wrote:

Are you saying that when you start Wireshark, wireshark itself starts
capturing, *before* you click the start capture button on it?
Which adapter is wireshark capturing from?


Have a nice day
GV


--------------------------------------------------
From: "M K" <gedropi () gmail com>
Sent: Wednesday, March 24, 2010 8:12 AM
To: <wireshark-users () wireshark org>
Subject: [Wireshark-users] from the past


Jeff Morriss suggested that I pose this question to you folks.

Here is what I wrote:
First:
I first log onto Windows machine
I log onto my Isp
I log into my proxy
Maybe do a few things online (eg. go to a few websites)
Then log into Wireshark

Next:
When launching WS, immediately the capture starts a DNS
authentication
trace
and an etherXXXXa* file with Windows & ISP usernames AND passwords
is
created.
Since I expect WS to be literal, I would expect that those actions
that
had
taken place in the past (logons & DNS authentication) would not be
captured
since WS had not been started when I logged on.  That means that
this
information is being cached or worse somewhere.  For my peace of
mind,
please
can you tell me about this security issue?  Thank you.
......................

Here is what Jeff wrote:
Anyway, a brief answer: Wireshark on Windows relies on WinPCAP to do
the
capturing.  I'm pretty sure WinPCAP won't start capturing until you
ask
it

to
do so.  And I'm pretty sure that the OS's TCP/IP stack isn't going
to
cache
stuff to give to WinPCAP after the fact.

(BTW, the etherXXX file is just the temporary PCAP file that
contains
the
packets that were captured--and what Wireshark displays for you.
The
fact

that
your password, etc., are in there just indicate that your password,
etc.,
were
sent over the wire unencrypted.)
..............
What Jeff described is what I expected but I believe that I
understand
now what I am seeing.  WS does its own DNS.  So, that explains the
first question.

The second issue, however, is still a big concern.  The etherXXXXa
file always contains the complete (passwords included)
authentication
data plus more.  Again, this unsaved (by me) login information was
sent over the wire in the past (PPP PAP), yet it is being saved (by
?)
and put into this file in the present. How can I prevent this login
info from being saved?  How can I encrypt this login info? This is a
security risk.


--
All that is necessary for evil to succeed is that good men do
nothing.

             ~Edmund Burke
___________________________________________________________________________
Sent via:    Wireshark-users mailing list
<wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request () wireshark org?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-users mailing list
<wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request () wireshark org?subject=unsubscribe




--
All that is necessary for evil to succeed is that good men do nothing.

             ~Edmund Burke
___________________________________________________________________________
Sent via:    Wireshark-users mailing list
<wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request () wireshark org?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-users mailing list
<wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request () wireshark org?subject=unsubscribe




--
All that is necessary for evil to succeed is that good men do nothing.

             ~Edmund Burke
___________________________________________________________________________
Sent via:    Wireshark-users mailing list
<wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request () wireshark org?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request () wireshark org?subject=unsubscribe




--
All that is necessary for evil to succeed is that good men do nothing.

             ~Edmund Burke
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request () wireshark org?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: