Wireshark · Wireshark-users: Re: [Wireshark-users] from the past

["Gianluca Varenni" <gianluca.varenni@xxxxxxxxxxxx>]

You didn't answer my questions:

1. what is the timestamp of those packets?
2. what interface are you capturing from?

Are capturing from what is called "Adapter for generic dialup and VPN 
capture"?

Have a nice day
GV



--------------------------------------------------
From: "M K" <gedropi@xxxxxxxxx>
Sent: Wednesday, March 24, 2010 9:25 AM
To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] from the past

> That is exactly what I am doing.  I log onto my Windows machine, then
> my ISP, then my proxy.  Then maybe go to a few websites, for example.
> Then maybe after a half hour, I may then start up a WS capture.
> Still, even after all that time between logons and actually starting a
> capture, the etherXXXXa tmp file still contains this private info.
>
> According to Jeff, the etherXXXXa file only captures what is not
> encrypted.  That makes this even more scary.  That means that not only
> is the info being captured but it isn't even being protected by even
> low-grade encryption.
>
> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote:
> > --------------------------------------------------
> > From: "M K" <gedropi@xxxxxxxxx>
> > Sent: Wednesday, March 24, 2010 9:11 AM
> > To: "Community support list for Wireshark" 
> > <wireshark-users@xxxxxxxxxxxxx>
> > Subject: Re: [Wireshark-users] from the past
> >
> > > That is the question.  I am saying that some program (?) is capturing
> > > my unsaved login info.  Then at a later point, when I start a WS
> > > capture, that login info from the past is put into that EtherxXXXXa
> > > tmp file.
> >
> > What happens if you log into your ISP and proxy, wait let's say 5 minutes
> > and then start wireshark? Do those packets still show up? what is their
> > tiemstamp?
> >
> > GV
> >
> > > On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote:
> > > > Are you saying that when you start Wireshark, wireshark itself starts
> > > > capturing, *before* you click the start capture button on it?
> > > > Which adapter is wireshark capturing from?
> > > >
> > > >
> > > > Have a nice day
> > > > GV
> > > >
> > > >
> > > > --------------------------------------------------
> > > > From: "M K" <gedropi@xxxxxxxxx>
> > > > Sent: Wednesday, March 24, 2010 8:12 AM
> > > > To: <wireshark-users@xxxxxxxxxxxxx>
> > > > Subject: [Wireshark-users] from the past
> > > >
> > > > > Jeff Morriss suggested that I pose this question to you folks.
> > > > >
> > > > > Here is what I wrote:
> > > > > First:
> > > > > I first log onto Windows machine
> > > > > I log onto my Isp
> > > > > I log into my proxy
> > > > > Maybe do a few things online (eg. go to a few websites)
> > > > > Then log into Wireshark
> > > > >
> > > > > Next:
> > > > > When launching WS, immediately the capture starts a DNS authentication
> > > > > trace
> > > > > and an etherXXXXa* file with Windows & ISP usernames AND passwords is
> > > > > created.
> > > > > Since I expect WS to be literal, I would expect that those actions 
> > > > > that
> > > > > had
> > > > > taken place in the past (logons & DNS authentication) would not be
> > > > > captured
> > > > > since WS had not been started when I logged on.  That means that this
> > > > > information is being cached or worse somewhere.  For my peace of mind,
> > > > > please
> > > > > can you tell me about this security issue?  Thank you.
> > > > > ......................
> > > > >
> > > > > Here is what Jeff wrote:
> > > > > Anyway, a brief answer: Wireshark on Windows relies on WinPCAP to do 
> > > > > the
> > > > > capturing.  I'm pretty sure WinPCAP won't start capturing until you 
> > > > > ask
> > > > > it
> > > > >
> > > > > to
> > > > > do so.  And I'm pretty sure that the OS's TCP/IP stack isn't going to
> > > > > cache
> > > > > stuff to give to WinPCAP after the fact.
> > > > >
> > > > > (BTW, the etherXXX file is just the temporary PCAP file that contains
> > > > > the
> > > > > packets that were captured--and what Wireshark displays for you.  The
> > > > > fact
> > > > >
> > > > > that
> > > > > your password, etc., are in there just indicate that your password,
> > > > > etc.,
> > > > > were
> > > > > sent over the wire unencrypted.)
> > > > > ..............
> > > > > What Jeff described is what I expected but I believe that I understand
> > > > > now what I am seeing.  WS does its own DNS.  So, that explains the
> > > > > first question.
> > > > >
> > > > > The second issue, however, is still a big concern.  The etherXXXXa
> > > > > file always contains the complete (passwords included) authentication
> > > > > data plus more.  Again, this unsaved (by me) login information was
> > > > > sent over the wire in the past (PPP PAP), yet it is being saved (by ?)
> > > > > and put into this file in the present. How can I prevent this login
> > > > > info from being saved?  How can I encrypt this login info? This is a
> > > > > security risk.
> > > > >
> > > > >
> > > > > --
> > > > > All that is necessary for evil to succeed is that good men do nothing.
> > > > >
> > > > >              ~Edmund Burke
> > > > > ___________________________________________________________________________
> > > > > Sent via:    Wireshark-users mailing list
> > > > > <wireshark-users@xxxxxxxxxxxxx>
> > > > > Archives:    http://www.wireshark.org/lists/wireshark-users
> > > > > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> > > > >
> > > > > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
> > > >
> > > > ___________________________________________________________________________
> > > > Sent via:    Wireshark-users mailing list 
> > > > <wireshark-users@xxxxxxxxxxxxx>
> > > > Archives:    http://www.wireshark.org/lists/wireshark-users
> > > > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> > > >
> > > > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
> > >
> > >
> > > --
> > > All that is necessary for evil to succeed is that good men do nothing.
> > >
> > >              ~Edmund Burke
> > > ___________________________________________________________________________
> > > Sent via:    Wireshark-users mailing list 
> > > <wireshark-users@xxxxxxxxxxxxx>
> > > Archives:    http://www.wireshark.org/lists/wireshark-users
> > > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> > >
> > > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
> >
> > ___________________________________________________________________________
> > Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> > Archives:    http://www.wireshark.org/lists/wireshark-users
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> >
> > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>
>
> --
> All that is necessary for evil to succeed is that good men do nothing.
>
>              ~Edmund Burke
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe