Wireshark mailing list archives
Re: One IP-Port pair missing in the pcap file
From: vishal borkar <weeshalll () gmail com>
Date: Thu, 25 Mar 2010 09:12:30 +0530
Accepted that the SIP data might be encrypted.but the frames that you mentioned (NO 406 onwards ) do not carry the actual SIP data. If you see closely the SIP data is travelling in SSL packets (Frame no 422 onwards).All of it seems to be plain text. And my IP and port is nowhere to be seen in those packets.So my problem still persists. Thanks and regards, Vishal. On Thu, Mar 25, 2010 at 12:30 AM, <wireshark-users-request () wireshark org>wrote:
Send Wireshark-users mailing list submissions to wireshark-users () wireshark org To subscribe or unsubscribe via the World Wide Web, visit https://wireshark.org/mailman/listinfo/wireshark-users or, via email, send a message with subject or body 'help' to wireshark-users-request () wireshark org You can reach the person managing the list at wireshark-users-owner () wireshark org When replying, please edit your Subject line so it is more specific than "Re: Contents of Wireshark-users digest..." Today's Topics: 1. from the past (M K) 2. RSL over LAPD over UDP not parsed (Christian de Waal) 3. Re: Using LTE-MAC over UDP heuristic (Martin Mathieson) 4. Re: from the past (Gianluca Varenni) 5. Re: One IP-Port pair missing in the pcap file (Robert D. Scott) 6. Re: W2000 SP4 Wireshark 1.2.6 and 1.3.3 do not work (Graham Bloice) 7. Re: from the past (M K) 8. Re: from the past (Gianluca Varenni) 9. Re: from the past (M K) 10. Re: from the past (Graham Bloice) 11. Re: Link error on the Wireshark website (Gerald Combs) 12. Re: from the past (Jeff Morriss) 13. Re: W2000 SP4 Wireshark 1.2.6 and 1.3.3 do not work (Gerald Combs) 14. Re: from the past (M K) 15. Re: from the past (M K) 16. Re: Upgraded wireshark to 1.2.6 but nowold pcapfiles cannot be read (Kok-Yong Tan) 17. Re: from the past (Graham Bloice) 18. Re: from the past (Gianluca Varenni) ---------------------------------------------------------------------- Message: 1 Date: Wed, 24 Mar 2010 07:12:12 -0800 From: M K <gedropi () gmail com> Subject: [Wireshark-users] from the past To: wireshark-users () wireshark org Message-ID: <b4ea502d1003240812r2154329er31101204b1f1a181 () mail gmail com> Content-Type: text/plain; charset=ISO-8859-1 Jeff Morriss suggested that I pose this question to you folks. Here is what I wrote: First: I first log onto Windows machine I log onto my Isp I log into my proxy Maybe do a few things online (eg. go to a few websites) Then log into Wireshark Next: When launching WS, immediately the capture starts a DNS authentication trace and an etherXXXXa* file with Windows & ISP usernames AND passwords is created. Since I expect WS to be literal, I would expect that those actions that had taken place in the past (logons & DNS authentication) would not be captured since WS had not been started when I logged on. That means that this information is being cached or worse somewhere. For my peace of mind, please can you tell me about this security issue? Thank you. ...................... Here is what Jeff wrote: Anyway, a brief answer: Wireshark on Windows relies on WinPCAP to do the capturing. I'm pretty sure WinPCAP won't start capturing until you ask it to do so. And I'm pretty sure that the OS's TCP/IP stack isn't going to cache stuff to give to WinPCAP after the fact. (BTW, the etherXXX file is just the temporary PCAP file that contains the packets that were captured--and what Wireshark displays for you. The fact that your password, etc., are in there just indicate that your password, etc., were sent over the wire unencrypted.) .............. What Jeff described is what I expected but I believe that I understand now what I am seeing. WS does its own DNS. So, that explains the first question. The second issue, however, is still a big concern. The etherXXXXa file always contains the complete (passwords included) authentication data plus more. Again, this unsaved (by me) login information was sent over the wire in the past (PPP PAP), yet it is being saved (by ?) and put into this file in the present. How can I prevent this login info from being saved? How can I encrypt this login info? This is a security risk. -- All that is necessary for evil to succeed is that good men do nothing. ~Edmund Burke ------------------------------ Message: 2 Date: Wed, 24 Mar 2010 16:49:49 +0100 From: Christian de Waal <Christian.deWaal () onephone de> Subject: [Wireshark-users] RSL over LAPD over UDP not parsed To: "wireshark-users () wireshark org" <wireshark-users () wireshark org> Message-ID: <5A42207526F4F34C96C3A06F876FA54703892F2395 () srv01 erkrath opde.localContent-Type: text/plain; charset="us-ascii" Dear all, I have some tcpdump traces where I am very sure that the protocol stack used is RSL over LAPD over UDP. However, the RSL over LAPD part is not parsed by Wireshark, but only displayed as hex data. I have tried to find some configuration possibility to manually assign LAPD to the non standard UDP port number which is used in this case, but I failed. Therefore my question, can I somehow configure Wireshark to parse LAPD and RSL inside the UDP packets? If this is not possible configuration-wise, could someone point me to the places in the source code where I would have to make changes to "hard code" this protocol stack into a special Wireshark version which I could use specifically for these traces only? Thanks a lot in advance for your help! BR, Christian de Waal [cid:imageb97751.jpg@bbaf8a22.54f44a1c] ______________________________ Christian de Waal - Value Added Service IP Engineer Tel: +49 (211) 5423 5006 Mobil: +49 (1577) 540 5006 Fax: +49 (211) 5423 5099 E-Mail: christian.dewaal () onephone de Web: http://www.onephone.de<http://www.onephone.de/> OnePhone Deutschland GmbH D?sseldorfer Str.16 40699 Erkrath, Deutschland Gesch?ftsf?hrer: Marc Mauermann Sitz der Gesellschaft: Erkrath, D?sseldorfer Str.16, D-40699 Erkrath HRB 21674 Wuppertal [cid:imageb96119.gif@3c5e3dda.ca8940d7] Think green! Please consider the environment before printing this email. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.wireshark.org/lists/wireshark-users/attachments/20100324/38a9f3a3/attachment.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: imageb97751.jpg@bbaf8a22.54f44a1c Type: image/jpeg Size: 3042 bytes Desc: imageb97751.jpg@bbaf8a22.54f44a1c Url : http://www.wireshark.org/lists/wireshark-users/attachments/20100324/38a9f3a3/attachment.jpeg -------------- next part -------------- A non-text attachment was scrubbed... Name: imageb96119.gif@3c5e3dda.ca8940d7 Type: image/gif Size: 1100 bytes Desc: imageb96119.gif@3c5e3dda.ca8940d7 Url : http://www.wireshark.org/lists/wireshark-users/attachments/20100324/38a9f3a3/attachment.gif ------------------------------ Message: 3 Date: Wed, 24 Mar 2010 15:59:54 +0000 From: Martin Mathieson <martin.r.mathieson () googlemail com> Subject: Re: [Wireshark-users] Using LTE-MAC over UDP heuristic To: Community support list for Wireshark <wireshark-users () wireshark org> Message-ID: <7b8c30e41003240859l2d917edkbc33689c37c33a7e () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" Hi Raju, The UDP heuristic dissector isn't for use with dct2000 (now known as IxCatapult) .out files, its a separate way to supply the MAC dissector with the info it needs. There is a sample C problem linked from the MAC-LTE wiki page that will send MAC frames over UDP with the header format that the heuristic dissector understands. - that program can send frames to a given machine name or IP address, where Wireshark can capture those UDP frames in the normal way - there is a pattern on the front of the UDP payload that matches what the heuristic dissector is check for - it parses the UDP framing info to get the context the MAC-LTE dissector needs in order to fully decode the frame that follows The program is BSD licensed, and the intention was that you could build this functionality into your equipment that deals with MAC frames and configure it to send to a machine running Wireshark. The alternative is to have Wireshark understand MAC frames from a special file format, which is what I did with our .out files. I wouldn't recommend you try to use the .out file format if you're not using IxCatapult equipment. Hope this helps, Martin On Wed, Mar 24, 2010 at 12:06 PM, Raju Udava <raju.us () gmail com> wrote:Hi, This is what I tried out, but wasnt able to see MAC parsed information: a) Enabled mac-lte protocol option in "Enabled Protocols" b) Enabled "Try heuristic sub-dissectors first" option for UDP c) Created a .out file using text2pcap, with dummy UDP header. d) UDP paylaod was started with "mac-lte" tag followed by information as specified in packet-mac-lte.h When I opened the output file on wireshark, I couldn't see MAC protocol information & packet was still being displayed as UDP. Please let me know if I need to use any specific UDP ports? or If I am missing out to enable any option? If anyone has sample catapult 2000 file for MAC-LTE, please post. === input.txt 000000 6d 61 63 2d 6c 74 65 01 00 03 01 21 02 1f 00 10 00 00 00 00 text2pcap.exe -u 99,99 input.txt output.txt Opened output.txt in wireshark. It was showing just as a normal packet. === Thanks in advance. -- Regards, Raju Udava___________________________________________________________________________Sent via: Wireshark-users mailing list <wireshark-users () wireshark org Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org ?subject=unsubscribe-------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.wireshark.org/lists/wireshark-users/attachments/20100324/2b4925e0/attachment.htm ------------------------------ Message: 4 Date: Wed, 24 Mar 2010 09:01:13 -0700 From: "Gianluca Varenni" <gianluca.varenni () cacetech com> Subject: Re: [Wireshark-users] from the past To: <wireshark-users () wireshark org> Message-ID: <BDFABABCB81F4453AE99371222CDB513@NELSON3> Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Are you saying that when you start Wireshark, wireshark itself starts capturing, *before* you click the start capture button on it? Which adapter is wireshark capturing from? Have a nice day GV -------------------------------------------------- From: "M K" <gedropi () gmail com> Sent: Wednesday, March 24, 2010 8:12 AM To: <wireshark-users () wireshark org> Subject: [Wireshark-users] from the pastJeff Morriss suggested that I pose this question to you folks. Here is what I wrote: First: I first log onto Windows machine I log onto my Isp I log into my proxy Maybe do a few things online (eg. go to a few websites) Then log into Wireshark Next: When launching WS, immediately the capture starts a DNS authentication trace and an etherXXXXa* file with Windows & ISP usernames AND passwords is created. Since I expect WS to be literal, I would expect that those actions that had taken place in the past (logons & DNS authentication) would not be captured since WS had not been started when I logged on. That means that this information is being cached or worse somewhere. For my peace of mind, please can you tell me about this security issue? Thank you. ...................... Here is what Jeff wrote: Anyway, a brief answer: Wireshark on Windows relies on WinPCAP to do the capturing. I'm pretty sure WinPCAP won't start capturing until you askitto do so. And I'm pretty sure that the OS's TCP/IP stack isn't going to cache stuff to give to WinPCAP after the fact. (BTW, the etherXXX file is just the temporary PCAP file that contains the packets that were captured--and what Wireshark displays for you. Thefactthat your password, etc., are in there just indicate that your password, etc., were sent over the wire unencrypted.) .............. What Jeff described is what I expected but I believe that I understand now what I am seeing. WS does its own DNS. So, that explains the first question. The second issue, however, is still a big concern. The etherXXXXa file always contains the complete (passwords included) authentication data plus more. Again, this unsaved (by me) login information was sent over the wire in the past (PPP PAP), yet it is being saved (by ?) and put into this file in the present. How can I prevent this login info from being saved? How can I encrypt this login info? This is a security risk. -- All that is necessary for evil to succeed is that good men do nothing. ~Edmund Burke___________________________________________________________________________Sent via: Wireshark-users mailing list <wireshark-users () wireshark org Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe------------------------------ Message: 5 Date: Wed, 24 Mar 2010 12:06:15 -0400 From: "Robert D. Scott" <robert () ufl edu> Subject: Re: [Wireshark-users] One IP-Port pair missing in the pcap file To: "'Community support list for Wireshark'" <wireshark-users () wireshark org> Message-ID: <005d01cacb6b$ee616560$cb243020$@edu> Content-Type: text/plain; charset="us-ascii" It looks like your session initiation is encrypted (Begin Frame 406). Immediately after DNS query voipb.sip.yahoo.com (Frames 397 - 398) with answers in (Frames 403 -405). You will not be able to decrypt any of the setup exchange. :( Robert D. Scott Robert () ufl edu Senior Network Engineer 352-273-0113 Phone CNS - Network Services 352-392-2061 CNS Phone Tree University of Florida 352-392-9440 FAX Florida Lambda Rail 352-294-3571 FLR NOC Gainesville, FL 32611 321-663-0421 Cell -----Original Message----- From: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] On Behalf Of vishal borkar Sent: Wednesday, March 24, 2010 1:28 AM To: wireshark-users () wireshark org Subject: [Wireshark-users] One IP-Port pair missing in the pcap file Hello all, I recently captured a yahoo voice communication between my machine and a friend. What i observed was that when i opened the file in a text editor i could not find the port and the IP of my system on which the actual communication took place. FYI my ip ( on which the UDP data travelled ):-192.168.0.230 Port(on which the UDP data travelled ):- 22308 Though i can clearly see the communication happening on this IP-port pair when i opened the file in Wireshark. Can anyone tell me as to why this is happening ? What i mean is aren't the SIP packets supposed to carry this information ? Since they are not carrying this information then how is the communication taking place ? I am attaching the file for your reference. Thanks in advance, Vishal ------------------------------ Message: 6 Date: Wed, 24 Mar 2010 16:06:53 +0000 From: Graham Bloice <graham.bloice () trihedral com> Subject: Re: [Wireshark-users] W2000 SP4 Wireshark 1.2.6 and 1.3.3 do not work To: Mail Box <mailbox () openmail cc>, Community support list for Wireshark <wireshark-users () wireshark org> Message-ID: <4BAA389D.7010002 () trihedral com> Content-Type: text/plain; charset="utf-8" On 23/03/2010 16:47, Mail Box wrote:It has already been reported by another user but has been erroneouslyclosed as resolved.That is not the case. The reported error persists at least on some installations of W2000 SP4. Wireshark 1.2.5 works on the same platform. Error: "The procedure entry point getaddrinfo could not be located in thedynamic linklibrary W32_32.dll"This call is made from the c-ares library, not wireshark itself. According to MSDN (http://msdn.microsoft.com/en-us/library/ms738520%28VS.85%29.aspx, see blurb near bottom on older versions of Windows) to use this function on Windows < XP SP2 requires one to include ws2tcpip.h and Wspiapi.h before using the function. This then uses an in-line copy of the function if the system dll doesn't include it. This would mean building our own copy of c-ares. As all MS support for W2K ceases on 13 July 2010 ( http://support.microsoft.com/lifecycle/search/default.aspx?sort=PN&alpha=Windows+2000&Filter=FilterNO ) is this worthwhile? -- Regards, Graham Bloice -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.wireshark.org/lists/wireshark-users/attachments/20100324/7f197217/attachment.htm ------------------------------ Message: 7 Date: Wed, 24 Mar 2010 08:11:40 -0800 From: M K <gedropi () gmail com> Subject: Re: [Wireshark-users] from the past To: Community support list for Wireshark <wireshark-users () wireshark org> Message-ID: <b4ea502d1003240911u5bdb7dfesbad8876663ebb3de () mail gmail com> Content-Type: text/plain; charset=ISO-8859-1 That is the question. I am saying that some program (?) is capturing my unsaved login info. Then at a later point, when I start a WS capture, that login info from the past is put into that EtherxXXXXa tmp file. On 3/24/10, Gianluca Varenni <gianluca.varenni () cacetech com> wrote:Are you saying that when you start Wireshark, wireshark itself starts capturing, *before* you click the start capture button on it? Which adapter is wireshark capturing from? Have a nice day GV -------------------------------------------------- From: "M K" <gedropi () gmail com> Sent: Wednesday, March 24, 2010 8:12 AM To: <wireshark-users () wireshark org> Subject: [Wireshark-users] from the pastJeff Morriss suggested that I pose this question to you folks. Here is what I wrote: First: I first log onto Windows machine I log onto my Isp I log into my proxy Maybe do a few things online (eg. go to a few websites) Then log into Wireshark Next: When launching WS, immediately the capture starts a DNS authentication trace and an etherXXXXa* file with Windows & ISP usernames AND passwords is created. Since I expect WS to be literal, I would expect that those actions that had taken place in the past (logons & DNS authentication) would not be captured since WS had not been started when I logged on. That means that this information is being cached or worse somewhere. For my peace of mind, please can you tell me about this security issue? Thank you. ...................... Here is what Jeff wrote: Anyway, a brief answer: Wireshark on Windows relies on WinPCAP to do the capturing. I'm pretty sure WinPCAP won't start capturing until you askitto do so. And I'm pretty sure that the OS's TCP/IP stack isn't going to cache stuff to give to WinPCAP after the fact. (BTW, the etherXXX file is just the temporary PCAP file that containsthepackets that were captured--and what Wireshark displays for you. Thefactthat your password, etc., are in there just indicate that your password,etc.,were sent over the wire unencrypted.) .............. What Jeff described is what I expected but I believe that I understand now what I am seeing. WS does its own DNS. So, that explains the first question. The second issue, however, is still a big concern. The etherXXXXa file always contains the complete (passwords included) authentication data plus more. Again, this unsaved (by me) login information was sent over the wire in the past (PPP PAP), yet it is being saved (by ?) and put into this file in the present. How can I prevent this login info from being saved? How can I encrypt this login info? This is a security risk. -- All that is necessary for evil to succeed is that good men do nothing. ~Edmund Burke___________________________________________________________________________Sent via: Wireshark-users mailing list <wireshark-users () wireshark org>Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe___________________________________________________________________________Sent via: Wireshark-users mailing list <wireshark-users () wireshark org Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe-- All that is necessary for evil to succeed is that good men do nothing. ~Edmund Burke ------------------------------ Message: 8 Date: Wed, 24 Mar 2010 09:16:36 -0700 From: "Gianluca Varenni" <gianluca.varenni () cacetech com> Subject: Re: [Wireshark-users] from the past To: "Community support list for Wireshark" <wireshark-users () wireshark org> Message-ID: <98CC46AE61AA488DAE0567FB73F4C52D@NELSON3> Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original -------------------------------------------------- From: "M K" <gedropi () gmail com> Sent: Wednesday, March 24, 2010 9:11 AM To: "Community support list for Wireshark" <wireshark-users () wireshark org> Subject: Re: [Wireshark-users] from the pastThat is the question. I am saying that some program (?) is capturing my unsaved login info. Then at a later point, when I start a WS capture, that login info from the past is put into that EtherxXXXXa tmp file.What happens if you log into your ISP and proxy, wait let's say 5 minutes and then start wireshark? Do those packets still show up? what is their tiemstamp? GVOn 3/24/10, Gianluca Varenni <gianluca.varenni () cacetech com> wrote:Are you saying that when you start Wireshark, wireshark itself starts capturing, *before* you click the start capture button on it? Which adapter is wireshark capturing from? Have a nice day GV -------------------------------------------------- From: "M K" <gedropi () gmail com> Sent: Wednesday, March 24, 2010 8:12 AM To: <wireshark-users () wireshark org> Subject: [Wireshark-users] from the pastJeff Morriss suggested that I pose this question to you folks. Here is what I wrote: First: I first log onto Windows machine I log onto my Isp I log into my proxy Maybe do a few things online (eg. go to a few websites) Then log into Wireshark Next: When launching WS, immediately the capture starts a DNS authentication trace and an etherXXXXa* file with Windows & ISP usernames AND passwords is created. Since I expect WS to be literal, I would expect that those actions that had taken place in the past (logons & DNS authentication) would not be captured since WS had not been started when I logged on. That means that this information is being cached or worse somewhere. For my peace of mind, please can you tell me about this security issue? Thank you. ...................... Here is what Jeff wrote: Anyway, a brief answer: Wireshark on Windows relies on WinPCAP to dothecapturing. I'm pretty sure WinPCAP won't start capturing until you ask it to do so. And I'm pretty sure that the OS's TCP/IP stack isn't going to cache stuff to give to WinPCAP after the fact. (BTW, the etherXXX file is just the temporary PCAP file that contains the packets that were captured--and what Wireshark displays for you. The fact that your password, etc., are in there just indicate that your password, etc., were sent over the wire unencrypted.) .............. What Jeff described is what I expected but I believe that I understand now what I am seeing. WS does its own DNS. So, that explains the first question. The second issue, however, is still a big concern. The etherXXXXa file always contains the complete (passwords included) authentication data plus more. Again, this unsaved (by me) login information was sent over the wire in the past (PPP PAP), yet it is being saved (by ?) and put into this file in the present. How can I prevent this login info from being saved? How can I encrypt this login info? This is a security risk. -- All that is necessary for evil to succeed is that good men do nothing. ~Edmund Burke___________________________________________________________________________Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe___________________________________________________________________________Sent via: Wireshark-users mailing list <wireshark-users () wireshark org>Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe-- All that is necessary for evil to succeed is that good men do nothing. ~Edmund Burke___________________________________________________________________________Sent via: Wireshark-users mailing list <wireshark-users () wireshark org Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe------------------------------ Message: 9 Date: Wed, 24 Mar 2010 08:25:58 -0800 From: M K <gedropi () gmail com> Subject: Re: [Wireshark-users] from the past To: Community support list for Wireshark <wireshark-users () wireshark org> Message-ID: <b4ea502d1003240925v5b833a00vf24ef17885fa2ed2 () mail gmail com> Content-Type: text/plain; charset=ISO-8859-1 That is exactly what I am doing. I log onto my Windows machine, then my ISP, then my proxy. Then maybe go to a few websites, for example. Then maybe after a half hour, I may then start up a WS capture. Still, even after all that time between logons and actually starting a capture, the etherXXXXa tmp file still contains this private info. According to Jeff, the etherXXXXa file only captures what is not encrypted. That makes this even more scary. That means that not only is the info being captured but it isn't even being protected by even low-grade encryption. On 3/24/10, Gianluca Varenni <gianluca.varenni () cacetech com> wrote:-------------------------------------------------- From: "M K" <gedropi () gmail com> Sent: Wednesday, March 24, 2010 9:11 AM To: "Community support list for Wireshark" <wireshark-users () wireshark org>Subject: Re: [Wireshark-users] from the pastThat is the question. I am saying that some program (?) is capturing my unsaved login info. Then at a later point, when I start a WS capture, that login info from the past is put into that EtherxXXXXa tmp file.What happens if you log into your ISP and proxy, wait let's say 5 minutes and then start wireshark? Do those packets still show up? what is their tiemstamp? GVOn 3/24/10, Gianluca Varenni <gianluca.varenni () cacetech com> wrote:Are you saying that when you start Wireshark, wireshark itself starts capturing, *before* you click the start capture button on it? Which adapter is wireshark capturing from? Have a nice day GV -------------------------------------------------- From: "M K" <gedropi () gmail com> Sent: Wednesday, March 24, 2010 8:12 AM To: <wireshark-users () wireshark org> Subject: [Wireshark-users] from the pastJeff Morriss suggested that I pose this question to you folks. Here is what I wrote: First: I first log onto Windows machine I log onto my Isp I log into my proxy Maybe do a few things online (eg. go to a few websites) Then log into Wireshark Next: When launching WS, immediately the capture starts a DNS authentication trace and an etherXXXXa* file with Windows & ISP usernames AND passwords is created. Since I expect WS to be literal, I would expect that those actionsthathad taken place in the past (logons & DNS authentication) would not be captured since WS had not been started when I logged on. That means that this information is being cached or worse somewhere. For my peace of mind, please can you tell me about this security issue? Thank you. ...................... Here is what Jeff wrote: Anyway, a brief answer: Wireshark on Windows relies on WinPCAP to dothecapturing. I'm pretty sure WinPCAP won't start capturing until youaskit to do so. And I'm pretty sure that the OS's TCP/IP stack isn't going to cache stuff to give to WinPCAP after the fact. (BTW, the etherXXX file is just the temporary PCAP file that contains the packets that were captured--and what Wireshark displays for you. The fact that your password, etc., are in there just indicate that your password, etc., were sent over the wire unencrypted.) .............. What Jeff described is what I expected but I believe that I understand now what I am seeing. WS does its own DNS. So, that explains the first question. The second issue, however, is still a big concern. The etherXXXXa file always contains the complete (passwords included) authentication data plus more. Again, this unsaved (by me) login information was sent over the wire in the past (PPP PAP), yet it is being saved (by ?) and put into this file in the present. How can I prevent this login info from being saved? How can I encrypt this login info? This is a security risk. -- All that is necessary for evil to succeed is that good men do nothing. ~Edmund Burke___________________________________________________________________________Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe___________________________________________________________________________Sent via: Wireshark-users mailing list <wireshark-users () wireshark org>Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe-- All that is necessary for evil to succeed is that good men do nothing. ~Edmund Burke___________________________________________________________________________Sent via: Wireshark-users mailing list <wireshark-users () wireshark org>Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe___________________________________________________________________________Sent via: Wireshark-users mailing list <wireshark-users () wireshark org Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe-- All that is necessary for evil to succeed is that good men do nothing. ~Edmund Burke ------------------------------ Message: 10 Date: Wed, 24 Mar 2010 16:37:06 +0000 From: Graham Bloice <graham.bloice () trihedral com> Subject: Re: [Wireshark-users] from the past To: Community support list for Wireshark <wireshark-users () wireshark org> Message-ID: <4BAA3FB2.3000307 () trihedral com> Content-Type: text/plain; charset="utf-8" On 24/03/2010 16:25, M K wrote:That is exactly what I am doing. I log onto my Windows machine, then my ISP, then my proxy. Then maybe go to a few websites, for example. Then maybe after a half hour, I may then start up a WS capture. Still, even after all that time between logons and actually starting a capture, the etherXXXXa tmp file still contains this private info. According to Jeff, the etherXXXXa file only captures what is not encrypted. That makes this even more scary. That means that not only is the info being captured but it isn't even being protected by even low-grade encryption.What protocol is carrying this info, might it be POP3? -- Regards, Graham Bloice -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.wireshark.org/lists/wireshark-users/attachments/20100324/01f54b5c/attachment.htm ------------------------------ Message: 11 Date: Wed, 24 Mar 2010 09:50:23 -0700 From: Gerald Combs <gerald () wireshark org> Subject: Re: [Wireshark-users] Link error on the Wireshark website To: Community support list for Wireshark <wireshark-users () wireshark org> Message-ID: <4BAA42CF.6080002 () wireshark org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Munther Hammouri wrote:Hello, It seems that there is a link error on the fedoraproject.org <http://fedoraproject.org> website. I was trying to download the Red Hat / Fedora Standard package. I clicked on the link to it and I was then moved to a page that had the following message: Fedora Package Database -- Invalid PackageBuild Name The package build you were linked to (name) does not appear in the Package Database. If you received this error from a link on the fedoraproject.org <http://fedoraproject.org> website, please report it. Could you please fix this problem or tell me how I can get a Wireshark version that would work on Fedora OS.According to http://www.fedoraguide.info/index.php?title=Main_Page#How_to_install_network_traffic_analyzer_.28Wireshark.29 you should run "su -c 'yum install wireshark wireshark-gnome'". The link on the download page should be fixed. ------------------------------ Message: 12 Date: Wed, 24 Mar 2010 13:05:36 -0400 From: Jeff Morriss <jeff.morriss.ws () gmail com> Subject: Re: [Wireshark-users] from the past To: Community support list for Wireshark <wireshark-users () wireshark org> Message-ID: <4BAA4660.8090904 () gmail com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed M K wrote:That is exactly what I am doing. I log onto my Windows machine, then my ISP, then my proxy. Then maybe go to a few websites, for example. Then maybe after a half hour, I may then start up a WS capture. Still, even after all that time between logons and actually starting a capture, the etherXXXXa tmp file still contains this private info. According to Jeff, the etherXXXXa file only captures what is not encrypted. That makes this even more scary. That means that not only is the info being captured but it isn't even being protected by even low-grade encryption.Actually, the etherXXXX file captures everything, even if it is encrypted. But you'll only find, for example, your password in plain text in that file (and in Wireshark's display) if the password is not encrypted. (If it were encrypted, your password would not be recognizable.) ------------------------------ Message: 13 Date: Wed, 24 Mar 2010 10:07:17 -0700 From: Gerald Combs <gerald () wireshark org> Subject: Re: [Wireshark-users] W2000 SP4 Wireshark 1.2.6 and 1.3.3 do not work To: Community support list for Wireshark <wireshark-users () wireshark org> Message-ID: <4BAA46C5.4030801 () wireshark org> Content-Type: text/plain; charset=UTF-8; format=flowed Graham Bloice wrote:On 23/03/2010 16:47, Mail Box wrote:It has already been reported by another user but has been erroneouslyclosed as resolved.That is not the case. The reported error persists at least on some installations of W2000 SP4. Wireshark 1.2.5 works on the same platform. Error: "The procedure entry point getaddrinfo could not be located in thedynamic linklibrary W32_32.dll"This call is made from the c-ares library, not wireshark itself. According to MSDN (http://msdn.microsoft.com/en-us/library/ms738520%28VS.85%29.aspx, see blurb near bottom on older versions of Windows) to use this function on Windows < XP SP2 requires one to include ws2tcpip.h and Wspiapi.h before using the function. This then uses an in-line copy of the function if the system dll doesn't include it. This would mean building our own copy of c-ares. As all MS support for W2K ceases on 13 July 2010 (http://support.microsoft.com/lifecycle/search/default.aspx?sort=PN&alpha=Windows+2000&Filter=FilterNO )is this worthwhile?1.2.7 will restore Windows 2000 support. It is scheduled for release on March 31. In the meantime you can get a prerelease version from http://www.wireshark.org/download/prerelease/ ------------------------------ Message: 14 Date: Wed, 24 Mar 2010 09:07:44 -0800 From: M K <gedropi () gmail com> Subject: Re: [Wireshark-users] from the past To: Community support list for Wireshark <wireshark-users () wireshark org> Message-ID: <b4ea502d1003241007u249da40aj25f3b31937f9e717 () mail gmail com> Content-Type: text/plain; charset=ISO-8859-1 No. There is no POP on this machine. This is not related to email. But as far as protocols go... Logging onto Windows should be just local. Right? Logging onto ISP should be PPP PAP protocol; then TCP/UDP. Right? Then proxy logon; then using SSL. Another issue is that sometimes these are being captured; sometimes not. I am not sure what causes that info to be retained. By its very nature, since tmp files are temporary, that file disappears. My question still is what program is causing this retention. Is this unencrypted data being transferred? On 3/24/10, Graham Bloice <graham.bloice () trihedral com> wrote:On 24/03/2010 16:25, M K wrote:That is exactly what I am doing. I log onto my Windows machine, then my ISP, then my proxy. Then maybe go to a few websites, for example. Then maybe after a half hour, I may then start up a WS capture. Still, even after all that time between logons and actually starting a capture, the etherXXXXa tmp file still contains this private info. According to Jeff, the etherXXXXa file only captures what is not encrypted. That makes this even more scary. That means that not only is the info being captured but it isn't even being protected by even low-grade encryption.What protocol is carrying this info, might it be POP3? -- Regards, Graham Bloice-- All that is necessary for evil to succeed is that good men do nothing. ~Edmund Burke ------------------------------ Message: 15 Date: Wed, 24 Mar 2010 09:12:35 -0800 From: M K <gedropi () gmail com> Subject: Re: [Wireshark-users] from the past To: Community support list for Wireshark <wireshark-users () wireshark org> Message-ID: <b4ea502d1003241012y37fc2d13l7f4c4ef29cb33365 () mail gmail com> Content-Type: text/plain; charset=ISO-8859-1 But I expected that the etherXXXXA tmp file would capture current/realtime traffic, not from the past. This isn't a criticism of WS. I know that WS is a literal program. On 3/24/10, Jeff Morriss <jeff.morriss.ws () gmail com> wrote:M K wrote:That is exactly what I am doing. I log onto my Windows machine, then my ISP, then my proxy. Then maybe go to a few websites, for example. Then maybe after a half hour, I may then start up a WS capture. Still, even after all that time between logons and actually starting a capture, the etherXXXXa tmp file still contains this private info. According to Jeff, the etherXXXXa file only captures what is not encrypted. That makes this even more scary. That means that not only is the info being captured but it isn't even being protected by even low-grade encryption.Actually, the etherXXXX file captures everything, even if it is encrypted. But you'll only find, for example, your password in plain text in that file (and in Wireshark's display) if the password is not encrypted. (If it were encrypted, your password would not berecognizable.)___________________________________________________________________________Sent via: Wireshark-users mailing list <wireshark-users () wireshark org Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe-- All that is necessary for evil to succeed is that good men do nothing. ~Edmund Burke ------------------------------ Message: 16 Date: Wed, 24 Mar 2010 13:31:06 -0400 From: Kok-Yong Tan <ktan () realityartisans com> Subject: Re: [Wireshark-users] Upgraded wireshark to 1.2.6 but nowold pcapfiles cannot be read To: jpo () di uminho pt, Community support list for Wireshark <wireshark-users () wireshark org> Message-ID: <FC1E1EB4-6537-4ED3-BA12-7F61EB9C9527 () realityartisans com> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed On Mar 24, 2010, at 02:19, Jose Pedro Oliveira wrote:On 2010-03-24 05:32, Kok-Yong Tan wrote:On Mar 24, 2010, at 01:10, Jose Pedro Oliveira wrote:On 2010-03-24 02:45, Kok-Yong Tan wrote:Any recommendations? Can I build the version of libz that predates this wholesale replacement of gz* functions? Do you know which one that was?I had exactly the same problem you described using Wireshark from MacPorts (and I've built both versions available: 1.2.6 and 1.3.3). While I haven't figured out what the problem was, I uninstalled them and started using the Wireshark MacOSX pre-built binaries instead. They are available for download here: http://www.wireshark.org/download/osx/ Note: I'm currently using the 1.3.3 build.Isn't 1.3.3 a developer build?Yes it is (I've been using it for quite a while now without finding any problems) but you can always install the 1.2.6 binaries. But if really want the latest development release you can find it here :) http://www.wireshark.org/download/automated/osx/Many thanks. But I think I'll stick with the MacPorts distribution since it builds in a very localized fashion and installs both source, libraries and executables in an easily removeable location: /opt. I've discovered that getting Wireshark to build using the zlib 1.2.3 libraries isn't as horrendously difficult as I'd imagined. I'll let everybody know how it goes (it took me a little while to figure out how to do it as the instructions aren't very clear but my procedure seemed to work and I'm in mid-build right now). And I've verified with the maintainer of the Wireshark port that he, too, had the same issues and that they went away as soon as he rebuilt his copy using zlib 1.2.3 instead of zlib 1.2.4. But I want to test the build for myself since his rebuild was only on Snow Leopard while mine is on Snow Leopard, Leopard and Tiger (I have multiple machines and want to ensure Wireshark works on all those platforms). -- Reality Artisans, Inc. # Network Wrangling and Delousing P.O. Box 565, Gracie Station # Apple Certified Consultant New York, NY 10028-0019 # Apple Consultants Network member <http://www.realityartisans.com> # Apple Developer Connection member (212) 369-4876 (Voice) # My PGP public key can be found at <https://keyserver.pgp.com> ------------------------------ Message: 17 Date: Wed, 24 Mar 2010 17:48:49 +0000 From: Graham Bloice <graham.bloice () trihedral com> Subject: Re: [Wireshark-users] from the past To: Community support list for Wireshark <wireshark-users () wireshark org> Message-ID: <4BAA5081.8090305 () trihedral com> Content-Type: text/plain; charset="utf-8" On 24/03/2010 17:07, M K wrote:No. There is no POP on this machine. This is not related to email. But as far as protocols go... Logging onto Windows should be just local. Right? Logging onto ISP should be PPP PAP protocol; then TCP/UDP. Right? Then proxy logon; then using SSL. Another issue is that sometimes these are being captured; sometimes not. I am not sure what causes that info to be retained. By its very nature, since tmp files are temporary, that file disappears. My question still is what program is causing this retention. Is this unencrypted data being transferred?Well can you determine from the tmp capture file (load it into Wireshark) what protocol is carrying your username and password? Knowing that may help you determine what is causing the issue. -- Regards, Graham Bloice -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.wireshark.org/lists/wireshark-users/attachments/20100324/c7adb73b/attachment.htm ------------------------------ Message: 18 Date: Wed, 24 Mar 2010 10:51:27 -0700 From: "Gianluca Varenni" <gianluca.varenni () cacetech com> Subject: Re: [Wireshark-users] from the past To: "Community support list for Wireshark" <wireshark-users () wireshark org> Message-ID: <8293559DDF6D4099BB467847FFD63368@NELSON3> Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original You didn't answer my questions: 1. what is the timestamp of those packets? 2. what interface are you capturing from? Are capturing from what is called "Adapter for generic dialup and VPN capture"? Have a nice day GV -------------------------------------------------- From: "M K" <gedropi () gmail com> Sent: Wednesday, March 24, 2010 9:25 AM To: "Community support list for Wireshark" <wireshark-users () wireshark org> Subject: Re: [Wireshark-users] from the pastThat is exactly what I am doing. I log onto my Windows machine, then my ISP, then my proxy. Then maybe go to a few websites, for example. Then maybe after a half hour, I may then start up a WS capture. Still, even after all that time between logons and actually starting a capture, the etherXXXXa tmp file still contains this private info. According to Jeff, the etherXXXXa file only captures what is not encrypted. That makes this even more scary. That means that not only is the info being captured but it isn't even being protected by even low-grade encryption. On 3/24/10, Gianluca Varenni <gianluca.varenni () cacetech com> wrote:-------------------------------------------------- From: "M K" <gedropi () gmail com> Sent: Wednesday, March 24, 2010 9:11 AM To: "Community support list for Wireshark" <wireshark-users () wireshark org> Subject: Re: [Wireshark-users] from the pastThat is the question. I am saying that some program (?) is capturing my unsaved login info. Then at a later point, when I start a WS capture, that login info from the past is put into that EtherxXXXXa tmp file.What happens if you log into your ISP and proxy, wait let's say 5minutesand then start wireshark? Do those packets still show up? what is their tiemstamp? GVOn 3/24/10, Gianluca Varenni <gianluca.varenni () cacetech com> wrote:Are you saying that when you start Wireshark, wireshark itself starts capturing, *before* you click the start capture button on it? Which adapter is wireshark capturing from? Have a nice day GV -------------------------------------------------- From: "M K" <gedropi () gmail com> Sent: Wednesday, March 24, 2010 8:12 AM To: <wireshark-users () wireshark org> Subject: [Wireshark-users] from the pastJeff Morriss suggested that I pose this question to you folks. Here is what I wrote: First: I first log onto Windows machine I log onto my Isp I log into my proxy Maybe do a few things online (eg. go to a few websites) Then log into Wireshark Next: When launching WS, immediately the capture starts a DNSauthenticationtrace and an etherXXXXa* file with Windows & ISP usernames AND passwords is created. Since I expect WS to be literal, I would expect that those actions that had taken place in the past (logons & DNS authentication) would not be captured since WS had not been started when I logged on. That means that this information is being cached or worse somewhere. For my peace ofmind,please can you tell me about this security issue? Thank you. ...................... Here is what Jeff wrote: Anyway, a brief answer: Wireshark on Windows relies on WinPCAP to do the capturing. I'm pretty sure WinPCAP won't start capturing until you ask it to do so. And I'm pretty sure that the OS's TCP/IP stack isn't going to cache stuff to give to WinPCAP after the fact. (BTW, the etherXXX file is just the temporary PCAP file that contains the packets that were captured--and what Wireshark displays for you. The fact that your password, etc., are in there just indicate that your password, etc., were sent over the wire unencrypted.) .............. What Jeff described is what I expected but I believe that Iunderstandnow what I am seeing. WS does its own DNS. So, that explains the first question. The second issue, however, is still a big concern. The etherXXXXa file always contains the complete (passwords included) authentication data plus more. Again, this unsaved (by me) login information was sent over the wire in the past (PPP PAP), yet it is being saved (by?)and put into this file in the present. How can I prevent this login info from being saved? How can I encrypt this login info? This is a security risk. -- All that is necessary for evil to succeed is that good men donothing.~Edmund Burke___________________________________________________________________________Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe___________________________________________________________________________Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe-- All that is necessary for evil to succeed is that good men do nothing. ~Edmund Burke___________________________________________________________________________Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe___________________________________________________________________________Sent via: Wireshark-users mailing list <wireshark-users () wireshark org>Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe-- All that is necessary for evil to succeed is that good men do nothing. ~Edmund Burke___________________________________________________________________________Sent via: Wireshark-users mailing list <wireshark-users () wireshark org Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe------------------------------ _______________________________________________ Wireshark-users mailing list Wireshark-users () wireshark org https://wireshark.org/mailman/listinfo/wireshark-users End of Wireshark-users Digest, Vol 46, Issue 42 ***********************************************
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- One IP-Port pair missing in the pcap file vishal borkar (Mar 24)
- Re: One IP-Port pair missing in the pcap file Robert D. Scott (Mar 24)
- <Possible follow-ups>
- Re: One IP-Port pair missing in the pcap file vishal borkar (Mar 24)
- Re: One IP-Port pair missing in the pcap file Abhijit Bare (Mar 24)