ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online

Wireshark-users: Re: [Wireshark-users] from the past

From: M K <gedropi@xxxxxxxxx>
Date: Wed, 24 Mar 2010 08:25:58 -0800
That is exactly what I am doing.  I log onto my Windows machine, then
my ISP, then my proxy.  Then maybe go to a few websites, for example.
Then maybe after a half hour, I may then start up a WS capture.
Still, even after all that time between logons and actually starting a
capture, the etherXXXXa tmp file still contains this private info.

According to Jeff, the etherXXXXa file only captures what is not
encrypted.  That makes this even more scary.  That means that not only
is the info being captured but it isn't even being protected by even
low-grade encryption.

On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote:
>
>
> --------------------------------------------------
> From: "M K" <gedropi@xxxxxxxxx>
> Sent: Wednesday, March 24, 2010 9:11 AM
> To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
> Subject: Re: [Wireshark-users] from the past
>
>> That is the question.  I am saying that some program (?) is capturing
>> my unsaved login info.  Then at a later point, when I start a WS
>> capture, that login info from the past is put into that EtherxXXXXa
>> tmp file.
>
> What happens if you log into your ISP and proxy, wait let's say 5 minutes
> and then start wireshark? Do those packets still show up? what is their
> tiemstamp?
>
> GV
>
>>
>> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote:
>>> Are you saying that when you start Wireshark, wireshark itself starts
>>> capturing, *before* you click the start capture button on it?
>>> Which adapter is wireshark capturing from?
>>>
>>>
>>> Have a nice day
>>> GV
>>>
>>>
>>> --------------------------------------------------
>>> From: "M K" <gedropi@xxxxxxxxx>
>>> Sent: Wednesday, March 24, 2010 8:12 AM
>>> To: <wireshark-users@xxxxxxxxxxxxx>
>>> Subject: [Wireshark-users] from the past
>>>
>>>> Jeff Morriss suggested that I pose this question to you folks.
>>>>
>>>> Here is what I wrote:
>>>> First:
>>>> I first log onto Windows machine
>>>> I log onto my Isp
>>>> I log into my proxy
>>>> Maybe do a few things online (eg. go to a few websites)
>>>> Then log into Wireshark
>>>>
>>>> Next:
>>>> When launching WS, immediately the capture starts a DNS authentication
>>>> trace
>>>> and an etherXXXXa* file with Windows & ISP usernames AND passwords is
>>>> created.
>>>> Since I expect WS to be literal, I would expect that those actions that
>>>> had
>>>> taken place in the past (logons & DNS authentication) would not be
>>>> captured
>>>> since WS had not been started when I logged on.  That means that this
>>>> information is being cached or worse somewhere.  For my peace of mind,
>>>> please
>>>> can you tell me about this security issue?  Thank you.
>>>> ......................
>>>>
>>>> Here is what Jeff wrote:
>>>> Anyway, a brief answer: Wireshark on Windows relies on WinPCAP to do the
>>>> capturing.  I'm pretty sure WinPCAP won't start capturing until you ask
>>>> it
>>>>
>>>> to
>>>> do so.  And I'm pretty sure that the OS's TCP/IP stack isn't going to
>>>> cache
>>>> stuff to give to WinPCAP after the fact.
>>>>
>>>> (BTW, the etherXXX file is just the temporary PCAP file that contains
>>>> the
>>>> packets that were captured--and what Wireshark displays for you.  The
>>>> fact
>>>>
>>>> that
>>>> your password, etc., are in there just indicate that your password,
>>>> etc.,
>>>> were
>>>> sent over the wire unencrypted.)
>>>> ..............
>>>> What Jeff described is what I expected but I believe that I understand
>>>> now what I am seeing.  WS does its own DNS.  So, that explains the
>>>> first question.
>>>>
>>>> The second issue, however, is still a big concern.  The etherXXXXa
>>>> file always contains the complete (passwords included) authentication
>>>> data plus more.  Again, this unsaved (by me) login information was
>>>> sent over the wire in the past (PPP PAP), yet it is being saved (by ?)
>>>> and put into this file in the present. How can I prevent this login
>>>> info from being saved?  How can I encrypt this login info? This is a
>>>> security risk.
>>>>
>>>>
>>>> --
>>>> All that is necessary for evil to succeed is that good men do nothing.
>>>>
>>>>              ~Edmund Burke
>>>> ___________________________________________________________________________
>>>> Sent via:    Wireshark-users mailing list
>>>> <wireshark-users@xxxxxxxxxxxxx>
>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>
>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>
>>> ___________________________________________________________________________
>>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>
>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>
>>
>>
>> --
>> All that is necessary for evil to succeed is that good men do nothing.
>>
>>              ~Edmund Burke
>> ___________________________________________________________________________
>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>> Archives:    http://www.wireshark.org/lists/wireshark-users
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>
>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>


-- 
All that is necessary for evil to succeed is that good men do nothing.

              ~Edmund Burke