Re: One IP-Port pair missing in the pcap file

[vishal borkar <weeshalll () gmail com>]

Accepted that the SIP data might be encrypted.but the frames that you
mentioned
(NO 406 onwards  ) do not carry the actual SIP data. If you see closely the
SIP data
is travelling in SSL packets (Frame no 422 onwards).All of it seems to be
plain text.
And my IP and port is nowhere to be seen in those packets.So my problem
still persists.

Thanks and regards,
Vishal.

On Thu, Mar 25, 2010 at 12:30 AM, <wireshark-users-request () wireshark org>wrote:

> Send Wireshark-users mailing list submissions to
>        wireshark-users () wireshark org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        https://wireshark.org/mailman/listinfo/wireshark-users
> or, via email, send a message with subject or body 'help' to
>        wireshark-users-request () wireshark org
>
> You can reach the person managing the list at
>        wireshark-users-owner () wireshark org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Wireshark-users digest..."
>
>
> Today's Topics:
>
>   1. from the past (M K)
>   2. RSL over LAPD over UDP not parsed (Christian de Waal)
>   3. Re: Using LTE-MAC over UDP heuristic (Martin Mathieson)
>   4. Re: from the past (Gianluca Varenni)
>   5. Re: One IP-Port pair missing in the pcap file (Robert D. Scott)
>   6. Re: W2000 SP4 Wireshark 1.2.6 and 1.3.3 do not work
>      (Graham Bloice)
>   7. Re: from the past (M K)
>   8. Re: from the past (Gianluca Varenni)
>   9. Re: from the past (M K)
>  10. Re: from the past (Graham Bloice)
>  11. Re: Link error on the Wireshark website (Gerald Combs)
>  12. Re: from the past (Jeff Morriss)
>  13. Re: W2000 SP4 Wireshark 1.2.6 and 1.3.3 do not work (Gerald Combs)
>  14. Re: from the past (M K)
>  15. Re: from the past (M K)
>  16. Re: Upgraded wireshark to 1.2.6 but       nowold  pcapfiles cannot
>      be read (Kok-Yong Tan)
>  17. Re: from the past (Graham Bloice)
>  18. Re: from the past (Gianluca Varenni)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 24 Mar 2010 07:12:12 -0800
> From: M K <gedropi () gmail com>
> Subject: [Wireshark-users] from the past
> To: wireshark-users () wireshark org
> Message-ID:
>        <b4ea502d1003240812r2154329er31101204b1f1a181 () mail gmail com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Jeff Morriss suggested that I pose this question to you folks.
>
> Here is what I wrote:
> First:
> I first log onto Windows machine
> I log onto my Isp
> I log into my proxy
> Maybe do a few things online (eg. go to a few websites)
> Then log into Wireshark
>
> Next:
> When launching WS, immediately the capture starts a DNS authentication
> trace
> and an etherXXXXa* file with Windows & ISP usernames AND passwords is
> created.
> Since I expect WS to be literal, I would expect that those actions that had
> taken place in the past (logons & DNS authentication) would not be
>  captured
> since WS had not been started when I logged on.  That means that this
> information is being cached or worse somewhere.  For my peace of mind,
> please
> can you tell me about this security issue?  Thank you.
> ......................
>
> Here is what Jeff wrote:
> Anyway, a brief answer: Wireshark on Windows relies on WinPCAP to do the
> capturing.  I'm pretty sure WinPCAP won't start capturing until you ask it
> to
> do so.  And I'm pretty sure that the OS's TCP/IP stack isn't going to cache
> stuff to give to WinPCAP after the fact.
>
> (BTW, the etherXXX file is just the temporary PCAP file that contains the
> packets that were captured--and what Wireshark displays for you.  The fact
> that
> your password, etc., are in there just indicate that your password, etc.,
> were
> sent over the wire unencrypted.)
> ..............
> What Jeff described is what I expected but I believe that I understand
> now what I am seeing.  WS does its own DNS.  So, that explains the
> first question.
>
> The second issue, however, is still a big concern.  The etherXXXXa
> file always contains the complete (passwords included) authentication
> data plus more.  Again, this unsaved (by me) login information was
> sent over the wire in the past (PPP PAP), yet it is being saved (by ?)
> and put into this file in the present. How can I prevent this login
> info from being saved?  How can I encrypt this login info? This is a
> security risk.
>
>
> --
> All that is necessary for evil to succeed is that good men do nothing.
>
>              ~Edmund Burke
>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 24 Mar 2010 16:49:49 +0100
> From: Christian de Waal <Christian.deWaal () onephone de>
> Subject: [Wireshark-users] RSL over LAPD over UDP not parsed
> To: "wireshark-users () wireshark org" <wireshark-users () wireshark org>
> Message-ID:
>        <5A42207526F4F34C96C3A06F876FA54703892F2395 () srv01 erkrath opde.local
> >
> Content-Type: text/plain; charset="us-ascii"
>
> Dear all,
>
> I have some tcpdump traces where I am very sure that the protocol stack
> used is RSL over LAPD over UDP. However, the RSL over LAPD part is not
> parsed by Wireshark, but only displayed as hex data. I have tried to find
> some configuration possibility to manually assign LAPD to the non standard
> UDP port number which is used in this case, but I failed.
>
> Therefore my question, can I somehow configure Wireshark to parse LAPD and
> RSL inside the UDP packets? If this is not possible configuration-wise,
> could someone point me to the places in the source code where I would have
> to make changes to "hard code" this protocol stack into a special Wireshark
> version which I could use specifically for these traces only?
>
> Thanks a lot in advance for your help!
>
> BR,
> Christian de Waal
>
>
>
> [cid:imageb97751.jpg@bbaf8a22.54f44a1c]
> ______________________________
> Christian de Waal - Value Added Service IP Engineer
>
> Tel:    +49 (211) 5423 5006
> Mobil:  +49 (1577) 540 5006
> Fax:    +49 (211) 5423 5099
> E-Mail: christian.dewaal () onephone de
> Web:    http://www.onephone.de<http://www.onephone.de/>
>
> OnePhone Deutschland GmbH
> D?sseldorfer Str.16
> 40699 Erkrath, Deutschland
>
> Gesch?ftsf?hrer: Marc Mauermann
> Sitz der Gesellschaft: Erkrath, D?sseldorfer Str.16, D-40699 Erkrath
> HRB 21674 Wuppertal
>
> [cid:imageb96119.gif@3c5e3dda.ca8940d7] Think green! Please consider the
> environment before printing this email.
>
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://www.wireshark.org/lists/wireshark-users/attachments/20100324/38a9f3a3/attachment.htm
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: imageb97751.jpg@bbaf8a22.54f44a1c
> Type: image/jpeg
> Size: 3042 bytes
> Desc: imageb97751.jpg@bbaf8a22.54f44a1c
> Url :
> http://www.wireshark.org/lists/wireshark-users/attachments/20100324/38a9f3a3/attachment.jpeg
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: imageb96119.gif@3c5e3dda.ca8940d7
> Type: image/gif
> Size: 1100 bytes
> Desc: imageb96119.gif@3c5e3dda.ca8940d7
> Url :
> http://www.wireshark.org/lists/wireshark-users/attachments/20100324/38a9f3a3/attachment.gif
>
> ------------------------------
>
> Message: 3
> Date: Wed, 24 Mar 2010 15:59:54 +0000
> From: Martin Mathieson <martin.r.mathieson () googlemail com>
> Subject: Re: [Wireshark-users] Using LTE-MAC over UDP heuristic
> To: Community support list for Wireshark
>        <wireshark-users () wireshark org>
> Message-ID:
>        <7b8c30e41003240859l2d917edkbc33689c37c33a7e () mail gmail com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi Raju,
> The UDP heuristic dissector isn't for use with dct2000 (now known as
> IxCatapult) .out files, its a separate way to supply the MAC dissector with
> the info it needs.
>
> There is a sample C problem linked from the MAC-LTE wiki page that will
> send
> MAC frames over UDP with the header format that the heuristic dissector
> understands.
> - that program can send frames to a given machine name or IP address, where
> Wireshark can capture those UDP frames in the normal way
> - there is a pattern on the front of the UDP payload that matches what the
> heuristic dissector is check for
> - it parses the UDP framing info to get the context the MAC-LTE dissector
> needs in order to fully decode the frame that follows
>
> The program is BSD licensed, and the intention was that you could build
> this
> functionality into your equipment that deals with MAC frames and configure
> it to send to a machine running Wireshark.
>
> The alternative is to have Wireshark understand MAC frames from a special
> file format, which is what I did with our .out files.  I wouldn't recommend
> you try to use the .out file format if you're not using IxCatapult
> equipment.
>
> Hope this helps,
> Martin
>
>
> On Wed, Mar 24, 2010 at 12:06 PM, Raju Udava <raju.us () gmail com> wrote:
>
> > Hi,
> >
> > This is what I tried out, but wasnt able to see MAC parsed information:
> >
> > a) Enabled mac-lte protocol option in "Enabled Protocols"
> > b) Enabled "Try heuristic sub-dissectors first" option for UDP
> > c) Created a .out file using text2pcap, with dummy UDP header.
> > d) UDP paylaod was started with "mac-lte" tag followed by information as
> > specified in packet-mac-lte.h
> >
> > When I opened the output file on wireshark, I couldn't see MAC protocol
> > information & packet was still being displayed as UDP.
> > Please let me know if I need to use any specific UDP ports? or If I am
> > missing out to enable any option?
> > If anyone has sample catapult 2000 file for MAC-LTE, please post.
> >
> > ===
> >
> > input.txt
> > 000000 6d 61 63 2d 6c 74 65 01 00 03 01 21 02 1f 00 10 00 00 00 00
> >
> > text2pcap.exe -u 99,99 input.txt output.txt
> >
> > Opened output.txt in wireshark. It was showing just as a normal packet.
> >
> > ===
> >
> > Thanks in advance.
> >
> > --
> > Regards,
> > Raju Udava
> ___________________________________________________________________________
> > Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org
> >
> > Archives:    http://www.wireshark.org/lists/wireshark-users
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> >             mailto:wireshark-users-request () wireshark org
> > ?subject=unsubscribe
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://www.wireshark.org/lists/wireshark-users/attachments/20100324/2b4925e0/attachment.htm
>
> ------------------------------
>
> Message: 4
> Date: Wed, 24 Mar 2010 09:01:13 -0700
> From: "Gianluca Varenni" <gianluca.varenni () cacetech com>
> Subject: Re: [Wireshark-users] from the past
> To: <wireshark-users () wireshark org>
> Message-ID: <BDFABABCB81F4453AE99371222CDB513@NELSON3>
> Content-Type: text/plain; format=flowed; charset="iso-8859-1";
>        reply-type=original
>
> Are you saying that when you start Wireshark, wireshark itself starts
> capturing, *before* you click the start capture button on it?
> Which adapter is wireshark capturing from?
>
>
> Have a nice day
> GV
>
>
> --------------------------------------------------
> From: "M K" <gedropi () gmail com>
> Sent: Wednesday, March 24, 2010 8:12 AM
> To: <wireshark-users () wireshark org>
> Subject: [Wireshark-users] from the past
>
> > Jeff Morriss suggested that I pose this question to you folks.
> >
> > Here is what I wrote:
> > First:
> > I first log onto Windows machine
> > I log onto my Isp
> > I log into my proxy
> > Maybe do a few things online (eg. go to a few websites)
> > Then log into Wireshark
> >
> > Next:
> > When launching WS, immediately the capture starts a DNS authentication
> > trace
> > and an etherXXXXa* file with Windows & ISP usernames AND passwords is
> > created.
> > Since I expect WS to be literal, I would expect that those actions that
> > had
> > taken place in the past (logons & DNS authentication) would not be
> > captured
> > since WS had not been started when I logged on.  That means that this
> > information is being cached or worse somewhere.  For my peace of mind,
> > please
> > can you tell me about this security issue?  Thank you.
> > ......................
> >
> > Here is what Jeff wrote:
> > Anyway, a brief answer: Wireshark on Windows relies on WinPCAP to do the
> > capturing.  I'm pretty sure WinPCAP won't start capturing until you ask
> it
> > to
> > do so.  And I'm pretty sure that the OS's TCP/IP stack isn't going to
> > cache
> > stuff to give to WinPCAP after the fact.
> >
> > (BTW, the etherXXX file is just the temporary PCAP file that contains the
> > packets that were captured--and what Wireshark displays for you.  The
> fact
> > that
> > your password, etc., are in there just indicate that your password, etc.,
> > were
> > sent over the wire unencrypted.)
> > ..............
> > What Jeff described is what I expected but I believe that I understand
> > now what I am seeing.  WS does its own DNS.  So, that explains the
> > first question.
> >
> > The second issue, however, is still a big concern.  The etherXXXXa
> > file always contains the complete (passwords included) authentication
> > data plus more.  Again, this unsaved (by me) login information was
> > sent over the wire in the past (PPP PAP), yet it is being saved (by ?)
> > and put into this file in the present. How can I prevent this login
> > info from being saved?  How can I encrypt this login info? This is a
> > security risk.
> >
> >
> > --
> > All that is necessary for evil to succeed is that good men do nothing.
> >
> >              ~Edmund Burke
> ___________________________________________________________________________
> > Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org
> >
> > Archives:    http://www.wireshark.org/lists/wireshark-users
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> >
> > mailto:wireshark-users-request () wireshark org?subject=unsubscribe
>
>
>
> ------------------------------
>
> Message: 5
> Date: Wed, 24 Mar 2010 12:06:15 -0400
> From: "Robert D. Scott" <robert () ufl edu>
> Subject: Re: [Wireshark-users] One IP-Port pair missing in the pcap
>        file
> To: "'Community support list for Wireshark'"
>        <wireshark-users () wireshark org>
> Message-ID: <005d01cacb6b$ee616560$cb243020$@edu>
> Content-Type: text/plain;       charset="us-ascii"
>
> It looks like your session initiation is encrypted (Begin Frame 406).
> Immediately after DNS query voipb.sip.yahoo.com (Frames 397 - 398) with
> answers in (Frames 403 -405). You will not be able to decrypt any of the
> setup exchange. :(
>
> Robert D. Scott                 Robert () ufl edu
> Senior Network Engineer         352-273-0113 Phone
> CNS - Network Services          352-392-2061 CNS Phone Tree
> University of Florida           352-392-9440 FAX
> Florida Lambda Rail             352-294-3571 FLR NOC
> Gainesville, FL  32611          321-663-0421 Cell
>
>
> -----Original Message-----
> From: wireshark-users-bounces () wireshark org
> [mailto:wireshark-users-bounces () wireshark org] On Behalf Of vishal borkar
> Sent: Wednesday, March 24, 2010 1:28 AM
> To: wireshark-users () wireshark org
> Subject: [Wireshark-users] One IP-Port pair missing in the pcap file
>
> Hello all,
> I recently captured a yahoo voice communication between my machine and a
> friend.
> What i observed was that when i opened the file in a text editor i could
> not
> find the port and the IP of my system on which the actual communication
> took
> place.
> FYI my ip ( on which the UDP data travelled ):-192.168.0.230 Port(on which
> the UDP data travelled ):- 22308
>
> Though i can clearly see the communication happening on this IP-port pair
> when i opened the file in Wireshark.
> Can anyone tell me as to why this is happening ?
> What i mean is aren't the SIP packets supposed to carry this information ?
> Since they are not carrying this information then how is the communication
> taking place ?
> I am attaching the file for your reference.
>
> Thanks in advance,
> Vishal
>
>
>
>
>
> ------------------------------
>
> Message: 6
> Date: Wed, 24 Mar 2010 16:06:53 +0000
> From: Graham Bloice <graham.bloice () trihedral com>
> Subject: Re: [Wireshark-users] W2000 SP4 Wireshark 1.2.6 and 1.3.3 do
>        not work
> To: Mail Box <mailbox () openmail cc>,     Community support list for
>        Wireshark <wireshark-users () wireshark org>
> Message-ID: <4BAA389D.7010002 () trihedral com>
> Content-Type: text/plain; charset="utf-8"
>
> On 23/03/2010 16:47, Mail Box wrote:
> > It has already been reported by another user but has been erroneously
> closed as resolved.
> > That is not the case.
> > The reported error persists at least on some installations of W2000 SP4.
> > Wireshark 1.2.5 works on the same platform.
> >
> > Error:
> > "The procedure entry point getaddrinfo could not be located in the
> dynamic link
> > library W32_32.dll"
> This call is made from the c-ares library, not wireshark itself.
> According to MSDN
> (http://msdn.microsoft.com/en-us/library/ms738520%28VS.85%29.aspx, see
> blurb near bottom on older versions of Windows) to use this function on
> Windows < XP SP2 requires one to include ws2tcpip.h and Wspiapi.h before
> using the function.  This then uses an in-line copy of the function if
> the system dll doesn't include it.  This would mean building our own
> copy of c-ares.
>
> As all MS support for W2K ceases on 13 July 2010
> (
> http://support.microsoft.com/lifecycle/search/default.aspx?sort=PN&alpha=Windows+2000&Filter=FilterNO
> )
> is this worthwhile?
>
> --
> Regards,
>
> Graham Bloice
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://www.wireshark.org/lists/wireshark-users/attachments/20100324/7f197217/attachment.htm
>
> ------------------------------
>
> Message: 7
> Date: Wed, 24 Mar 2010 08:11:40 -0800
> From: M K <gedropi () gmail com>
> Subject: Re: [Wireshark-users] from the past
> To: Community support list for Wireshark
>        <wireshark-users () wireshark org>
> Message-ID:
>        <b4ea502d1003240911u5bdb7dfesbad8876663ebb3de () mail gmail com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> That is the question.  I am saying that some program (?) is capturing
> my unsaved login info.  Then at a later point, when I start a WS
> capture, that login info from the past is put into that EtherxXXXXa
> tmp file.
>
> On 3/24/10, Gianluca Varenni <gianluca.varenni () cacetech com> wrote:
> > Are you saying that when you start Wireshark, wireshark itself starts
> > capturing, *before* you click the start capture button on it?
> > Which adapter is wireshark capturing from?
> >
> >
> > Have a nice day
> > GV
> >
> >
> > --------------------------------------------------
> > From: "M K" <gedropi () gmail com>
> > Sent: Wednesday, March 24, 2010 8:12 AM
> > To: <wireshark-users () wireshark org>
> > Subject: [Wireshark-users] from the past
> >
> > > Jeff Morriss suggested that I pose this question to you folks.
> > >
> > > Here is what I wrote:
> > > First:
> > > I first log onto Windows machine
> > > I log onto my Isp
> > > I log into my proxy
> > > Maybe do a few things online (eg. go to a few websites)
> > > Then log into Wireshark
> > >
> > > Next:
> > > When launching WS, immediately the capture starts a DNS authentication
> > > trace
> > > and an etherXXXXa* file with Windows & ISP usernames AND passwords is
> > > created.
> > > Since I expect WS to be literal, I would expect that those actions that
> > > had
> > > taken place in the past (logons & DNS authentication) would not be
> > > captured
> > > since WS had not been started when I logged on.  That means that this
> > > information is being cached or worse somewhere.  For my peace of mind,
> > > please
> > > can you tell me about this security issue?  Thank you.
> > > ......................
> > >
> > > Here is what Jeff wrote:
> > > Anyway, a brief answer: Wireshark on Windows relies on WinPCAP to do the
> > > capturing.  I'm pretty sure WinPCAP won't start capturing until you ask
> it
> > > to
> > > do so.  And I'm pretty sure that the OS's TCP/IP stack isn't going to
> > > cache
> > > stuff to give to WinPCAP after the fact.
> > >
> > > (BTW, the etherXXX file is just the temporary PCAP file that contains
> the
> > > packets that were captured--and what Wireshark displays for you.  The
> fact
> > > that
> > > your password, etc., are in there just indicate that your password,
> etc.,
> > > were
> > > sent over the wire unencrypted.)
> > > ..............
> > > What Jeff described is what I expected but I believe that I understand
> > > now what I am seeing.  WS does its own DNS.  So, that explains the
> > > first question.
> > >
> > > The second issue, however, is still a big concern.  The etherXXXXa
> > > file always contains the complete (passwords included) authentication
> > > data plus more.  Again, this unsaved (by me) login information was
> > > sent over the wire in the past (PPP PAP), yet it is being saved (by ?)
> > > and put into this file in the present. How can I prevent this login
> > > info from being saved?  How can I encrypt this login info? This is a
> > > security risk.
> > >
> > >
> > > --
> > > All that is necessary for evil to succeed is that good men do nothing.
> > >
> > >              ~Edmund Burke
> ___________________________________________________________________________
> > > Sent via:    Wireshark-users mailing list <
> wireshark-users () wireshark org>
> > > Archives:    http://www.wireshark.org/lists/wireshark-users
> > > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> > >
> > > mailto:wireshark-users-request () wireshark org?subject=unsubscribe
> ___________________________________________________________________________
> > Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org
> >
> > Archives:    http://www.wireshark.org/lists/wireshark-users
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> >
> > mailto:wireshark-users-request () wireshark org?subject=unsubscribe
>
>
> --
> All that is necessary for evil to succeed is that good men do nothing.
>
>              ~Edmund Burke
>
>
> ------------------------------
>
> Message: 8
> Date: Wed, 24 Mar 2010 09:16:36 -0700
> From: "Gianluca Varenni" <gianluca.varenni () cacetech com>
> Subject: Re: [Wireshark-users] from the past
> To: "Community support list for Wireshark"
>        <wireshark-users () wireshark org>
> Message-ID: <98CC46AE61AA488DAE0567FB73F4C52D@NELSON3>
> Content-Type: text/plain; format=flowed; charset="iso-8859-1";
>        reply-type=original
>
>
>
> --------------------------------------------------
> From: "M K" <gedropi () gmail com>
> Sent: Wednesday, March 24, 2010 9:11 AM
> To: "Community support list for Wireshark" <wireshark-users () wireshark org>
> Subject: Re: [Wireshark-users] from the past
>
> > That is the question.  I am saying that some program (?) is capturing
> > my unsaved login info.  Then at a later point, when I start a WS
> > capture, that login info from the past is put into that EtherxXXXXa
> > tmp file.
>
> What happens if you log into your ISP and proxy, wait let's say 5 minutes
> and then start wireshark? Do those packets still show up? what is their
> tiemstamp?
>
> GV
>
> > On 3/24/10, Gianluca Varenni <gianluca.varenni () cacetech com> wrote:
> > > Are you saying that when you start Wireshark, wireshark itself starts
> > > capturing, *before* you click the start capture button on it?
> > > Which adapter is wireshark capturing from?
> > >
> > >
> > > Have a nice day
> > > GV
> > >
> > >
> > > --------------------------------------------------
> > > From: "M K" <gedropi () gmail com>
> > > Sent: Wednesday, March 24, 2010 8:12 AM
> > > To: <wireshark-users () wireshark org>
> > > Subject: [Wireshark-users] from the past
> > >
> > > > Jeff Morriss suggested that I pose this question to you folks.
> > > >
> > > > Here is what I wrote:
> > > > First:
> > > > I first log onto Windows machine
> > > > I log onto my Isp
> > > > I log into my proxy
> > > > Maybe do a few things online (eg. go to a few websites)
> > > > Then log into Wireshark
> > > >
> > > > Next:
> > > > When launching WS, immediately the capture starts a DNS authentication
> > > > trace
> > > > and an etherXXXXa* file with Windows & ISP usernames AND passwords is
> > > > created.
> > > > Since I expect WS to be literal, I would expect that those actions that
> > > > had
> > > > taken place in the past (logons & DNS authentication) would not be
> > > > captured
> > > > since WS had not been started when I logged on.  That means that this
> > > > information is being cached or worse somewhere.  For my peace of mind,
> > > > please
> > > > can you tell me about this security issue?  Thank you.
> > > > ......................
> > > >
> > > > Here is what Jeff wrote:
> > > > Anyway, a brief answer: Wireshark on Windows relies on WinPCAP to do
> the
> > > > capturing.  I'm pretty sure WinPCAP won't start capturing until you ask
> > > > it
> > > >
> > > > to
> > > > do so.  And I'm pretty sure that the OS's TCP/IP stack isn't going to
> > > > cache
> > > > stuff to give to WinPCAP after the fact.
> > > >
> > > > (BTW, the etherXXX file is just the temporary PCAP file that contains
> > > > the
> > > > packets that were captured--and what Wireshark displays for you.  The
> > > > fact
> > > >
> > > > that
> > > > your password, etc., are in there just indicate that your password,
> > > > etc.,
> > > > were
> > > > sent over the wire unencrypted.)
> > > > ..............
> > > > What Jeff described is what I expected but I believe that I understand
> > > > now what I am seeing.  WS does its own DNS.  So, that explains the
> > > > first question.
> > > >
> > > > The second issue, however, is still a big concern.  The etherXXXXa
> > > > file always contains the complete (passwords included) authentication
> > > > data plus more.  Again, this unsaved (by me) login information was
> > > > sent over the wire in the past (PPP PAP), yet it is being saved (by ?)
> > > > and put into this file in the present. How can I prevent this login
> > > > info from being saved?  How can I encrypt this login info? This is a
> > > > security risk.
> > > >
> > > >
> > > > --
> > > > All that is necessary for evil to succeed is that good men do nothing.
> > > >
> > > >              ~Edmund Burke
> ___________________________________________________________________________
> > > > Sent via:    Wireshark-users mailing list
> > > > <wireshark-users () wireshark org>
> > > > Archives:    http://www.wireshark.org/lists/wireshark-users
> > > > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> > > >
> > > > mailto:wireshark-users-request () wireshark org?subject=unsubscribe
> ___________________________________________________________________________
> > > Sent via:    Wireshark-users mailing list <
> wireshark-users () wireshark org>
> > > Archives:    http://www.wireshark.org/lists/wireshark-users
> > > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> > >
> > > mailto:wireshark-users-request () wireshark org?subject=unsubscribe
> >
> >
> > --
> > All that is necessary for evil to succeed is that good men do nothing.
> >
> >              ~Edmund Burke
> ___________________________________________________________________________
> > Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org
> >
> > Archives:    http://www.wireshark.org/lists/wireshark-users
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> >
> > mailto:wireshark-users-request () wireshark org?subject=unsubscribe
>
>
>
> ------------------------------
>
> Message: 9
> Date: Wed, 24 Mar 2010 08:25:58 -0800
> From: M K <gedropi () gmail com>
> Subject: Re: [Wireshark-users] from the past
> To: Community support list for Wireshark
>        <wireshark-users () wireshark org>
> Message-ID:
>        <b4ea502d1003240925v5b833a00vf24ef17885fa2ed2 () mail gmail com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> That is exactly what I am doing.  I log onto my Windows machine, then
> my ISP, then my proxy.  Then maybe go to a few websites, for example.
> Then maybe after a half hour, I may then start up a WS capture.
> Still, even after all that time between logons and actually starting a
> capture, the etherXXXXa tmp file still contains this private info.
>
> According to Jeff, the etherXXXXa file only captures what is not
> encrypted.  That makes this even more scary.  That means that not only
> is the info being captured but it isn't even being protected by even
> low-grade encryption.
>
> On 3/24/10, Gianluca Varenni <gianluca.varenni () cacetech com> wrote:
> > --------------------------------------------------
> > From: "M K" <gedropi () gmail com>
> > Sent: Wednesday, March 24, 2010 9:11 AM
> > To: "Community support list for Wireshark" <
> wireshark-users () wireshark org>
> > Subject: Re: [Wireshark-users] from the past
> >
> > > That is the question.  I am saying that some program (?) is capturing
> > > my unsaved login info.  Then at a later point, when I start a WS
> > > capture, that login info from the past is put into that EtherxXXXXa
> > > tmp file.
> >
> > What happens if you log into your ISP and proxy, wait let's say 5 minutes
> > and then start wireshark? Do those packets still show up? what is their
> > tiemstamp?
> >
> > GV
> >
> > > On 3/24/10, Gianluca Varenni <gianluca.varenni () cacetech com> wrote:
> > > > Are you saying that when you start Wireshark, wireshark itself starts
> > > > capturing, *before* you click the start capture button on it?
> > > > Which adapter is wireshark capturing from?
> > > >
> > > >
> > > > Have a nice day
> > > > GV
> > > >
> > > >
> > > > --------------------------------------------------
> > > > From: "M K" <gedropi () gmail com>
> > > > Sent: Wednesday, March 24, 2010 8:12 AM
> > > > To: <wireshark-users () wireshark org>
> > > > Subject: [Wireshark-users] from the past
> > > >
> > > > > Jeff Morriss suggested that I pose this question to you folks.
> > > > >
> > > > > Here is what I wrote:
> > > > > First:
> > > > > I first log onto Windows machine
> > > > > I log onto my Isp
> > > > > I log into my proxy
> > > > > Maybe do a few things online (eg. go to a few websites)
> > > > > Then log into Wireshark
> > > > >
> > > > > Next:
> > > > > When launching WS, immediately the capture starts a DNS authentication
> > > > > trace
> > > > > and an etherXXXXa* file with Windows & ISP usernames AND passwords is
> > > > > created.
> > > > > Since I expect WS to be literal, I would expect that those actions
> that
> > > > > had
> > > > > taken place in the past (logons & DNS authentication) would not be
> > > > > captured
> > > > > since WS had not been started when I logged on.  That means that this
> > > > > information is being cached or worse somewhere.  For my peace of mind,
> > > > > please
> > > > > can you tell me about this security issue?  Thank you.
> > > > > ......................
> > > > >
> > > > > Here is what Jeff wrote:
> > > > > Anyway, a brief answer: Wireshark on Windows relies on WinPCAP to do
> the
> > > > > capturing.  I'm pretty sure WinPCAP won't start capturing until you
> ask
> > > > > it
> > > > >
> > > > > to
> > > > > do so.  And I'm pretty sure that the OS's TCP/IP stack isn't going to
> > > > > cache
> > > > > stuff to give to WinPCAP after the fact.
> > > > >
> > > > > (BTW, the etherXXX file is just the temporary PCAP file that contains
> > > > > the
> > > > > packets that were captured--and what Wireshark displays for you.  The
> > > > > fact
> > > > >
> > > > > that
> > > > > your password, etc., are in there just indicate that your password,
> > > > > etc.,
> > > > > were
> > > > > sent over the wire unencrypted.)
> > > > > ..............
> > > > > What Jeff described is what I expected but I believe that I understand
> > > > > now what I am seeing.  WS does its own DNS.  So, that explains the
> > > > > first question.
> > > > >
> > > > > The second issue, however, is still a big concern.  The etherXXXXa
> > > > > file always contains the complete (passwords included) authentication
> > > > > data plus more.  Again, this unsaved (by me) login information was
> > > > > sent over the wire in the past (PPP PAP), yet it is being saved (by ?)
> > > > > and put into this file in the present. How can I prevent this login
> > > > > info from being saved?  How can I encrypt this login info? This is a
> > > > > security risk.
> > > > >
> > > > >
> > > > > --
> > > > > All that is necessary for evil to succeed is that good men do nothing.
> > > > >
> > > > >              ~Edmund Burke
> ___________________________________________________________________________
> > > > > Sent via:    Wireshark-users mailing list
> > > > > <wireshark-users () wireshark org>
> > > > > Archives:    http://www.wireshark.org/lists/wireshark-users
> > > > > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> > > > >
> > > > > mailto:wireshark-users-request () wireshark org?subject=unsubscribe
> ___________________________________________________________________________
> > > > Sent via:    Wireshark-users mailing list <
> wireshark-users () wireshark org>
> > > > Archives:    http://www.wireshark.org/lists/wireshark-users
> > > > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> > > >
> > > > mailto:wireshark-users-request () wireshark org?subject=unsubscribe
> > >
> > >
> > > --
> > > All that is necessary for evil to succeed is that good men do nothing.
> > >
> > >              ~Edmund Burke
> ___________________________________________________________________________
> > > Sent via:    Wireshark-users mailing list <
> wireshark-users () wireshark org>
> > > Archives:    http://www.wireshark.org/lists/wireshark-users
> > > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> > >
> > > mailto:wireshark-users-request () wireshark org?subject=unsubscribe
> ___________________________________________________________________________
> > Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org
> >
> > Archives:    http://www.wireshark.org/lists/wireshark-users
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> >
> > mailto:wireshark-users-request () wireshark org?subject=unsubscribe
>
>
> --
> All that is necessary for evil to succeed is that good men do nothing.
>
>              ~Edmund Burke
>
>
> ------------------------------
>
> Message: 10
> Date: Wed, 24 Mar 2010 16:37:06 +0000
> From: Graham Bloice <graham.bloice () trihedral com>
> Subject: Re: [Wireshark-users] from the past
> To: Community support list for Wireshark
>        <wireshark-users () wireshark org>
> Message-ID: <4BAA3FB2.3000307 () trihedral com>
> Content-Type: text/plain; charset="utf-8"
>
> On 24/03/2010 16:25, M K wrote:
> > That is exactly what I am doing.  I log onto my Windows machine, then
> > my ISP, then my proxy.  Then maybe go to a few websites, for example.
> > Then maybe after a half hour, I may then start up a WS capture.
> > Still, even after all that time between logons and actually starting a
> > capture, the etherXXXXa tmp file still contains this private info.
> >
> > According to Jeff, the etherXXXXa file only captures what is not
> > encrypted.  That makes this even more scary.  That means that not only
> > is the info being captured but it isn't even being protected by even
> > low-grade encryption.
> What protocol is carrying this info, might it be POP3?
>
> --
> Regards,
>
> Graham Bloice
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://www.wireshark.org/lists/wireshark-users/attachments/20100324/01f54b5c/attachment.htm
>
> ------------------------------
>
> Message: 11
> Date: Wed, 24 Mar 2010 09:50:23 -0700
> From: Gerald Combs <gerald () wireshark org>
> Subject: Re: [Wireshark-users] Link error on the Wireshark website
> To: Community support list for Wireshark
>        <wireshark-users () wireshark org>
> Message-ID: <4BAA42CF.6080002 () wireshark org>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Munther Hammouri wrote:
> > Hello,
> >
> > It seems that there is a link error on the fedoraproject.org
> > <http://fedoraproject.org> website. I was trying to download the Red Hat
> > / Fedora Standard package. I clicked on the link to it and I was then
> > moved to a page that had the following message:
> >
> > Fedora Package Database -- Invalid PackageBuild Name
> >
> > The package build you were linked to (name) does not appear in the
> > Package Database. If you received this error from a link on the
> > fedoraproject.org <http://fedoraproject.org> website, please report it.
> >
> >
> > Could you please fix this problem or tell me how I can get a Wireshark
> > version that would work on Fedora OS.
>
> According to
>
>
> http://www.fedoraguide.info/index.php?title=Main_Page#How_to_install_network_traffic_analyzer_.28Wireshark.29
>
> you should run "su -c 'yum install wireshark wireshark-gnome'". The link
> on the download page should be fixed.
>
>
> ------------------------------
>
> Message: 12
> Date: Wed, 24 Mar 2010 13:05:36 -0400
> From: Jeff Morriss <jeff.morriss.ws () gmail com>
> Subject: Re: [Wireshark-users] from the past
> To: Community support list for Wireshark
>        <wireshark-users () wireshark org>
> Message-ID: <4BAA4660.8090904 () gmail com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> M K wrote:
> > That is exactly what I am doing.  I log onto my Windows machine, then
> > my ISP, then my proxy.  Then maybe go to a few websites, for example.
> > Then maybe after a half hour, I may then start up a WS capture.
> > Still, even after all that time between logons and actually starting a
> > capture, the etherXXXXa tmp file still contains this private info.
> >
> > According to Jeff, the etherXXXXa file only captures what is not
> > encrypted.  That makes this even more scary.  That means that not only
> > is the info being captured but it isn't even being protected by even
> > low-grade encryption.
>
> Actually, the etherXXXX file captures everything, even if it is
> encrypted.  But you'll only find, for example, your password in plain
> text in that file (and in Wireshark's display) if the password is not
> encrypted.  (If it were encrypted, your password would not be
> recognizable.)
>
>
> ------------------------------
>
> Message: 13
> Date: Wed, 24 Mar 2010 10:07:17 -0700
> From: Gerald Combs <gerald () wireshark org>
> Subject: Re: [Wireshark-users] W2000 SP4 Wireshark 1.2.6 and 1.3.3 do
>        not work
> To: Community support list for Wireshark
>        <wireshark-users () wireshark org>
> Message-ID: <4BAA46C5.4030801 () wireshark org>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> Graham Bloice wrote:
> > On 23/03/2010 16:47, Mail Box wrote:
> > > It has already been reported by another user but has been erroneously
> closed as resolved.
> > > That is not the case.
> > > The reported error persists at least on some installations of W2000 SP4.
> > > Wireshark 1.2.5 works on the same platform.
> > >
> > > Error:
> > > "The procedure entry point getaddrinfo could not be located in the
> dynamic link
> > > library W32_32.dll"
> > This call is made from the c-ares library, not wireshark itself.
> > According to MSDN
> > (http://msdn.microsoft.com/en-us/library/ms738520%28VS.85%29.aspx, see
> > blurb near bottom on older versions of Windows) to use this function on
> > Windows < XP SP2 requires one to include ws2tcpip.h and Wspiapi.h before
> > using the function.  This then uses an in-line copy of the function if
> > the system dll doesn't include it.  This would mean building our own
> > copy of c-ares.
> >
> > As all MS support for W2K ceases on 13 July 2010
> > (
> http://support.microsoft.com/lifecycle/search/default.aspx?sort=PN&alpha=Windows+2000&Filter=FilterNO
> )
> > is this worthwhile?
>
> 1.2.7 will restore Windows 2000 support. It is scheduled for release on
> March 31. In the meantime you can get a prerelease version from
> http://www.wireshark.org/download/prerelease/
>
>
> ------------------------------
>
> Message: 14
> Date: Wed, 24 Mar 2010 09:07:44 -0800
> From: M K <gedropi () gmail com>
> Subject: Re: [Wireshark-users] from the past
> To: Community support list for Wireshark
>        <wireshark-users () wireshark org>
> Message-ID:
>        <b4ea502d1003241007u249da40aj25f3b31937f9e717 () mail gmail com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> No.  There is no POP on this machine.  This is not related to email.
> But as far as protocols go...
> Logging onto Windows should be just local.  Right?
> Logging onto ISP should be PPP PAP protocol; then TCP/UDP.  Right?
> Then proxy logon; then  using SSL.
>
> Another issue is that sometimes these are being captured; sometimes
> not.  I am not sure what causes that info to be retained.  By its very
> nature, since tmp files are temporary, that file disappears.
>
> My question still is what program is causing this retention.  Is this
> unencrypted data being transferred?
>
> On 3/24/10, Graham Bloice <graham.bloice () trihedral com> wrote:
> > On 24/03/2010 16:25, M K wrote:
> > > That is exactly what I am doing.  I log onto my Windows machine, then
> > > my ISP, then my proxy.  Then maybe go to a few websites, for example.
> > > Then maybe after a half hour, I may then start up a WS capture.
> > > Still, even after all that time between logons and actually starting a
> > > capture, the etherXXXXa tmp file still contains this private info.
> > >
> > > According to Jeff, the etherXXXXa file only captures what is not
> > > encrypted.  That makes this even more scary.  That means that not only
> > > is the info being captured but it isn't even being protected by even
> > > low-grade encryption.
> > What protocol is carrying this info, might it be POP3?
> >
> > --
> > Regards,
> >
> > Graham Bloice
>
>
> --
> All that is necessary for evil to succeed is that good men do nothing.
>
>              ~Edmund Burke
>
>
> ------------------------------
>
> Message: 15
> Date: Wed, 24 Mar 2010 09:12:35 -0800
> From: M K <gedropi () gmail com>
> Subject: Re: [Wireshark-users] from the past
> To: Community support list for Wireshark
>        <wireshark-users () wireshark org>
> Message-ID:
>        <b4ea502d1003241012y37fc2d13l7f4c4ef29cb33365 () mail gmail com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> But I expected that the etherXXXXA tmp file would capture
> current/realtime traffic, not from the past.
>
> This isn't a criticism of WS.  I know that WS is a literal program.
>
> On 3/24/10, Jeff Morriss <jeff.morriss.ws () gmail com> wrote:
> > M K wrote:
> > > That is exactly what I am doing.  I log onto my Windows machine, then
> > > my ISP, then my proxy.  Then maybe go to a few websites, for example.
> > > Then maybe after a half hour, I may then start up a WS capture.
> > > Still, even after all that time between logons and actually starting a
> > > capture, the etherXXXXa tmp file still contains this private info.
> > >
> > > According to Jeff, the etherXXXXa file only captures what is not
> > > encrypted.  That makes this even more scary.  That means that not only
> > > is the info being captured but it isn't even being protected by even
> > > low-grade encryption.
> >
> > Actually, the etherXXXX file captures everything, even if it is
> > encrypted.  But you'll only find, for example, your password in plain
> > text in that file (and in Wireshark's display) if the password is not
> > encrypted.  (If it were encrypted, your password would not be
> recognizable.)
> >
> ___________________________________________________________________________
> > Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org
> >
> > Archives:    http://www.wireshark.org/lists/wireshark-users
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> >
> > mailto:wireshark-users-request () wireshark org?subject=unsubscribe
>
>
> --
> All that is necessary for evil to succeed is that good men do nothing.
>
>              ~Edmund Burke
>
>
> ------------------------------
>
> Message: 16
> Date: Wed, 24 Mar 2010 13:31:06 -0400
> From: Kok-Yong Tan <ktan () realityartisans com>
> Subject: Re: [Wireshark-users] Upgraded wireshark to 1.2.6 but  nowold
>        pcapfiles cannot be read
> To: jpo () di uminho pt,   Community support list for Wireshark
>        <wireshark-users () wireshark org>
> Message-ID: <FC1E1EB4-6537-4ED3-BA12-7F61EB9C9527 () realityartisans com>
> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
>
>
> On Mar 24, 2010, at 02:19, Jose Pedro Oliveira wrote:
>
> > On 2010-03-24 05:32, Kok-Yong Tan wrote:
> > > On Mar 24, 2010, at 01:10, Jose Pedro Oliveira wrote:
> > >
> > > > On 2010-03-24 02:45, Kok-Yong Tan wrote:
> > > >
> > > > > Any recommendations?  Can I build the version of libz that predates
> > > > > this wholesale replacement of gz* functions?  Do you know which one
> > > > > that was?
> > > >
> > > > I had exactly the same problem you described using Wireshark from
> > > > MacPorts (and I've built both versions available: 1.2.6 and 1.3.3).
> > > >
> > > > While I haven't figured out what the problem was, I uninstalled them
> > > > and started using the Wireshark MacOSX pre-built binaries instead.
> > > > They are available for download here:
> > > >
> > > >    http://www.wireshark.org/download/osx/
> > > >
> > > > Note: I'm currently using the 1.3.3 build.
> > >
> > >
> > > Isn't 1.3.3 a developer build?
> >
> > Yes it is (I've been using it for quite a while now without finding
> > any problems) but you can always install the 1.2.6 binaries.
> >
> > But if really want the latest development release
> > you can find it here :)
> > http://www.wireshark.org/download/automated/osx/
>
>
> Many thanks.  But I think I'll stick with the MacPorts distribution
> since it builds in a very localized fashion and installs both source,
> libraries and executables in an easily removeable location:  /opt.
> I've discovered that getting Wireshark to build using the zlib 1.2.3
> libraries isn't as horrendously difficult as I'd imagined.  I'll let
> everybody know how it goes (it took me a little while to figure out
> how to do it as the instructions aren't very clear but my procedure
> seemed to work and I'm in mid-build right now).  And I've verified
> with the maintainer of the Wireshark port that he, too, had the same
> issues and that they went away as soon as he rebuilt his copy using
> zlib 1.2.3 instead of zlib 1.2.4.  But I want to test the build for
> myself since his rebuild was only on Snow Leopard while mine is on
> Snow Leopard, Leopard and Tiger (I have multiple machines and want to
> ensure Wireshark works on all those platforms).
> --
> Reality Artisans, Inc.             #   Network Wrangling and Delousing
> P.O. Box 565, Gracie Station       #   Apple Certified Consultant
> New York, NY 10028-0019            #   Apple Consultants Network member
> <http://www.realityartisans.com>   #   Apple Developer Connection member
> (212) 369-4876 (Voice)             #   My PGP public key can be found
> at <https://keyserver.pgp.com>
>
>
>
>
>
>
> ------------------------------
>
> Message: 17
> Date: Wed, 24 Mar 2010 17:48:49 +0000
> From: Graham Bloice <graham.bloice () trihedral com>
> Subject: Re: [Wireshark-users] from the past
> To: Community support list for Wireshark
>        <wireshark-users () wireshark org>
> Message-ID: <4BAA5081.8090305 () trihedral com>
> Content-Type: text/plain; charset="utf-8"
>
> On 24/03/2010 17:07, M K wrote:
> > No.  There is no POP on this machine.  This is not related to email.
> > But as far as protocols go...
> > Logging onto Windows should be just local.  Right?
> > Logging onto ISP should be PPP PAP protocol; then TCP/UDP.  Right?
> > Then proxy logon; then  using SSL.
> >
> > Another issue is that sometimes these are being captured; sometimes
> > not.  I am not sure what causes that info to be retained.  By its very
> > nature, since tmp files are temporary, that file disappears.
> >
> > My question still is what program is causing this retention.  Is this
> > unencrypted data being transferred?
> Well can you determine from the tmp capture file (load it into
> Wireshark) what protocol is carrying your username and password?
> Knowing that may help you determine what is causing the issue.
>
> --
> Regards,
>
> Graham Bloice
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://www.wireshark.org/lists/wireshark-users/attachments/20100324/c7adb73b/attachment.htm
>
> ------------------------------
>
> Message: 18
> Date: Wed, 24 Mar 2010 10:51:27 -0700
> From: "Gianluca Varenni" <gianluca.varenni () cacetech com>
> Subject: Re: [Wireshark-users] from the past
> To: "Community support list for Wireshark"
>        <wireshark-users () wireshark org>
> Message-ID: <8293559DDF6D4099BB467847FFD63368@NELSON3>
> Content-Type: text/plain; format=flowed; charset="iso-8859-1";
>        reply-type=original
>
> You didn't answer my questions:
>
> 1. what is the timestamp of those packets?
> 2. what interface are you capturing from?
>
> Are capturing from what is called "Adapter for generic dialup and VPN
> capture"?
>
> Have a nice day
> GV
>
>
>
> --------------------------------------------------
> From: "M K" <gedropi () gmail com>
> Sent: Wednesday, March 24, 2010 9:25 AM
> To: "Community support list for Wireshark" <wireshark-users () wireshark org>
> Subject: Re: [Wireshark-users] from the past
>
> > That is exactly what I am doing.  I log onto my Windows machine, then
> > my ISP, then my proxy.  Then maybe go to a few websites, for example.
> > Then maybe after a half hour, I may then start up a WS capture.
> > Still, even after all that time between logons and actually starting a
> > capture, the etherXXXXa tmp file still contains this private info.
> >
> > According to Jeff, the etherXXXXa file only captures what is not
> > encrypted.  That makes this even more scary.  That means that not only
> > is the info being captured but it isn't even being protected by even
> > low-grade encryption.
> >
> > On 3/24/10, Gianluca Varenni <gianluca.varenni () cacetech com> wrote:
> > > --------------------------------------------------
> > > From: "M K" <gedropi () gmail com>
> > > Sent: Wednesday, March 24, 2010 9:11 AM
> > > To: "Community support list for Wireshark"
> > > <wireshark-users () wireshark org>
> > > Subject: Re: [Wireshark-users] from the past
> > >
> > > > That is the question.  I am saying that some program (?) is capturing
> > > > my unsaved login info.  Then at a later point, when I start a WS
> > > > capture, that login info from the past is put into that EtherxXXXXa
> > > > tmp file.
> > >
> > > What happens if you log into your ISP and proxy, wait let's say 5
> minutes
> > > and then start wireshark? Do those packets still show up? what is their
> > > tiemstamp?
> > >
> > > GV
> > >
> > > > On 3/24/10, Gianluca Varenni <gianluca.varenni () cacetech com> wrote:
> > > > > Are you saying that when you start Wireshark, wireshark itself starts
> > > > > capturing, *before* you click the start capture button on it?
> > > > > Which adapter is wireshark capturing from?
> > > > >
> > > > >
> > > > > Have a nice day
> > > > > GV
> > > > >
> > > > >
> > > > > --------------------------------------------------
> > > > > From: "M K" <gedropi () gmail com>
> > > > > Sent: Wednesday, March 24, 2010 8:12 AM
> > > > > To: <wireshark-users () wireshark org>
> > > > > Subject: [Wireshark-users] from the past
> > > > >
> > > > > > Jeff Morriss suggested that I pose this question to you folks.
> > > > > >
> > > > > > Here is what I wrote:
> > > > > > First:
> > > > > > I first log onto Windows machine
> > > > > > I log onto my Isp
> > > > > > I log into my proxy
> > > > > > Maybe do a few things online (eg. go to a few websites)
> > > > > > Then log into Wireshark
> > > > > >
> > > > > > Next:
> > > > > > When launching WS, immediately the capture starts a DNS
> authentication
> > > > > > trace
> > > > > > and an etherXXXXa* file with Windows & ISP usernames AND passwords is
> > > > > > created.
> > > > > > Since I expect WS to be literal, I would expect that those actions
> > > > > > that
> > > > > > had
> > > > > > taken place in the past (logons & DNS authentication) would not be
> > > > > > captured
> > > > > > since WS had not been started when I logged on.  That means that this
> > > > > > information is being cached or worse somewhere.  For my peace of
> mind,
> > > > > > please
> > > > > > can you tell me about this security issue?  Thank you.
> > > > > > ......................
> > > > > >
> > > > > > Here is what Jeff wrote:
> > > > > > Anyway, a brief answer: Wireshark on Windows relies on WinPCAP to do
> > > > > > the
> > > > > > capturing.  I'm pretty sure WinPCAP won't start capturing until you
> > > > > > ask
> > > > > > it
> > > > > >
> > > > > > to
> > > > > > do so.  And I'm pretty sure that the OS's TCP/IP stack isn't going to
> > > > > > cache
> > > > > > stuff to give to WinPCAP after the fact.
> > > > > >
> > > > > > (BTW, the etherXXX file is just the temporary PCAP file that contains
> > > > > > the
> > > > > > packets that were captured--and what Wireshark displays for you.  The
> > > > > > fact
> > > > > >
> > > > > > that
> > > > > > your password, etc., are in there just indicate that your password,
> > > > > > etc.,
> > > > > > were
> > > > > > sent over the wire unencrypted.)
> > > > > > ..............
> > > > > > What Jeff described is what I expected but I believe that I
> understand
> > > > > > now what I am seeing.  WS does its own DNS.  So, that explains the
> > > > > > first question.
> > > > > >
> > > > > > The second issue, however, is still a big concern.  The etherXXXXa
> > > > > > file always contains the complete (passwords included) authentication
> > > > > > data plus more.  Again, this unsaved (by me) login information was
> > > > > > sent over the wire in the past (PPP PAP), yet it is being saved (by
> ?)
> > > > > > and put into this file in the present. How can I prevent this login
> > > > > > info from being saved?  How can I encrypt this login info? This is a
> > > > > > security risk.
> > > > > >
> > > > > >
> > > > > > --
> > > > > > All that is necessary for evil to succeed is that good men do
> nothing.
> > > > > >              ~Edmund Burke
> ___________________________________________________________________________
> > > > > > Sent via:    Wireshark-users mailing list
> > > > > > <wireshark-users () wireshark org>
> > > > > > Archives:    http://www.wireshark.org/lists/wireshark-users
> > > > > > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> > > > > >
> > > > > > mailto:wireshark-users-request () wireshark org?subject=unsubscribe
> ___________________________________________________________________________
> > > > > Sent via:    Wireshark-users mailing list
> > > > > <wireshark-users () wireshark org>
> > > > > Archives:    http://www.wireshark.org/lists/wireshark-users
> > > > > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> > > > >
> > > > > mailto:wireshark-users-request () wireshark org?subject=unsubscribe
> > > >
> > > >
> > > > --
> > > > All that is necessary for evil to succeed is that good men do nothing.
> > > >
> > > >              ~Edmund Burke
> ___________________________________________________________________________
> > > > Sent via:    Wireshark-users mailing list
> > > > <wireshark-users () wireshark org>
> > > > Archives:    http://www.wireshark.org/lists/wireshark-users
> > > > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> > > >
> > > > mailto:wireshark-users-request () wireshark org?subject=unsubscribe
> ___________________________________________________________________________
> > > Sent via:    Wireshark-users mailing list <
> wireshark-users () wireshark org>
> > > Archives:    http://www.wireshark.org/lists/wireshark-users
> > > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> > >
> > > mailto:wireshark-users-request () wireshark org?subject=unsubscribe
> >
> >
> > --
> > All that is necessary for evil to succeed is that good men do nothing.
> >
> >              ~Edmund Burke
> ___________________________________________________________________________
> > Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org
> >
> > Archives:    http://www.wireshark.org/lists/wireshark-users
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> >
> > mailto:wireshark-users-request () wireshark org?subject=unsubscribe
>
>
>
> ------------------------------
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users () wireshark org
> https://wireshark.org/mailman/listinfo/wireshark-users
>
>
> End of Wireshark-users Digest, Vol 46, Issue 42
> ***********************************************
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe