Wireshark-users: Re: [Wireshark-users] from the past
From: M K <gedropi@xxxxxxxxx>
Date: Wed, 24 Mar 2010 12:48:50 -0800
The etherXXXX file is only a tmp file written in hex. I believe that it would be impossible to open within WS because the only time the ethernet file exists is when you are already in the middle of a capture. And it vanishes when you stop the capture or shut down WS, I believe. Opening another file while performing a capture is not enabled. Unless if you had multiple instances of WS perhaps. On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote: > > > -------------------------------------------------- > From: "M K" <gedropi@xxxxxxxxx> > Sent: Wednesday, March 24, 2010 1:29 PM > To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx> > Subject: Re: [Wireshark-users] from the past > >> The WS capture file does have time stamps. The etherXXXXa file lives >> at: \Documents and Settings\Administrator\Local Settings\Temp within >> Windows. This tmp file does not appear to have obvious timestamps. >> Machine name, Administrator User name, packet source/dest and at >> times, also the passwords to Windows and ISP. > > Wait... is this a pcap file or not? Can you open it with wireshark? > > Have a nice day > GV > > >> >> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote: >>> >>> >>> -------------------------------------------------- >>> From: "M K" <gedropi@xxxxxxxxx> >>> Sent: Wednesday, March 24, 2010 12:45 PM >>> To: "Community support list for Wireshark" >>> <wireshark-users@xxxxxxxxxxxxx> >>> Subject: Re: [Wireshark-users] from the past >>> >>>> Sorry. I got called away. >>>> >>>> The etherXXXX tmp file doesn't appear to have timestamps. But within >>> >>> If it's a valid capture file, the packets must have a timestamp, if you >>> open >>> the file with wireshark. >>> >>> GV >>> >>> >>>> WS, the LLC (Layer 2) & PPP LCP protocols are the first protocols to >>>> show up in the trace at the time the login info is captured inside the >>>> tmp file. >>>> >>>> I suspect that this info is being passed to the tmp file. Possible >>>> suspects: the OS or networking appliances. >>>> >>>> Yes, the interface is: Adapter for generic dialup and VPN >>>> >>>> And thanks for this feedback and help. >>>> >>>> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote: >>>>> You didn't answer my questions: >>>>> >>>>> 1. what is the timestamp of those packets? >>>>> 2. what interface are you capturing from? >>>>> >>>>> Are capturing from what is called "Adapter for generic dialup and VPN >>>>> capture"? >>>>> >>>>> Have a nice day >>>>> GV >>>>> >>>>> >>>>> >>>>> -------------------------------------------------- >>>>> From: "M K" <gedropi@xxxxxxxxx> >>>>> Sent: Wednesday, March 24, 2010 9:25 AM >>>>> To: "Community support list for Wireshark" >>>>> <wireshark-users@xxxxxxxxxxxxx> >>>>> Subject: Re: [Wireshark-users] from the past >>>>> >>>>>> That is exactly what I am doing. I log onto my Windows machine, then >>>>>> my ISP, then my proxy. Then maybe go to a few websites, for example. >>>>>> Then maybe after a half hour, I may then start up a WS capture. >>>>>> Still, even after all that time between logons and actually starting a >>>>>> capture, the etherXXXXa tmp file still contains this private info. >>>>>> >>>>>> According to Jeff, the etherXXXXa file only captures what is not >>>>>> encrypted. That makes this even more scary. That means that not only >>>>>> is the info being captured but it isn't even being protected by even >>>>>> low-grade encryption. >>>>>> >>>>>> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote: >>>>>>> >>>>>>> >>>>>>> -------------------------------------------------- >>>>>>> From: "M K" <gedropi@xxxxxxxxx> >>>>>>> Sent: Wednesday, March 24, 2010 9:11 AM >>>>>>> To: "Community support list for Wireshark" >>>>>>> <wireshark-users@xxxxxxxxxxxxx> >>>>>>> Subject: Re: [Wireshark-users] from the past >>>>>>> >>>>>>>> That is the question. I am saying that some program (?) is >>>>>>>> capturing >>>>>>>> my unsaved login info. Then at a later point, when I start a WS >>>>>>>> capture, that login info from the past is put into that EtherxXXXXa >>>>>>>> tmp file. >>>>>>> >>>>>>> What happens if you log into your ISP and proxy, wait let's say 5 >>>>>>> minutes >>>>>>> and then start wireshark? Do those packets still show up? what is >>>>>>> their >>>>>>> tiemstamp? >>>>>>> >>>>>>> GV >>>>>>> >>>>>>>> >>>>>>>> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote: >>>>>>>>> Are you saying that when you start Wireshark, wireshark itself >>>>>>>>> starts >>>>>>>>> capturing, *before* you click the start capture button on it? >>>>>>>>> Which adapter is wireshark capturing from? >>>>>>>>> >>>>>>>>> >>>>>>>>> Have a nice day >>>>>>>>> GV >>>>>>>>> >>>>>>>>> >>>>>>>>> -------------------------------------------------- >>>>>>>>> From: "M K" <gedropi@xxxxxxxxx> >>>>>>>>> Sent: Wednesday, March 24, 2010 8:12 AM >>>>>>>>> To: <wireshark-users@xxxxxxxxxxxxx> >>>>>>>>> Subject: [Wireshark-users] from the past >>>>>>>>> >>>>>>>>>> Jeff Morriss suggested that I pose this question to you folks. >>>>>>>>>> >>>>>>>>>> Here is what I wrote: >>>>>>>>>> First: >>>>>>>>>> I first log onto Windows machine >>>>>>>>>> I log onto my Isp >>>>>>>>>> I log into my proxy >>>>>>>>>> Maybe do a few things online (eg. go to a few websites) >>>>>>>>>> Then log into Wireshark >>>>>>>>>> >>>>>>>>>> Next: >>>>>>>>>> When launching WS, immediately the capture starts a DNS >>>>>>>>>> authentication >>>>>>>>>> trace >>>>>>>>>> and an etherXXXXa* file with Windows & ISP usernames AND passwords >>>>>>>>>> is >>>>>>>>>> created. >>>>>>>>>> Since I expect WS to be literal, I would expect that those actions >>>>>>>>>> that >>>>>>>>>> had >>>>>>>>>> taken place in the past (logons & DNS authentication) would not be >>>>>>>>>> captured >>>>>>>>>> since WS had not been started when I logged on. That means that >>>>>>>>>> this >>>>>>>>>> information is being cached or worse somewhere. For my peace of >>>>>>>>>> mind, >>>>>>>>>> please >>>>>>>>>> can you tell me about this security issue? Thank you. >>>>>>>>>> ...................... >>>>>>>>>> >>>>>>>>>> Here is what Jeff wrote: >>>>>>>>>> Anyway, a brief answer: Wireshark on Windows relies on WinPCAP to >>>>>>>>>> do >>>>>>>>>> the >>>>>>>>>> capturing. I'm pretty sure WinPCAP won't start capturing until >>>>>>>>>> you >>>>>>>>>> ask >>>>>>>>>> it >>>>>>>>>> >>>>>>>>>> to >>>>>>>>>> do so. And I'm pretty sure that the OS's TCP/IP stack isn't going >>>>>>>>>> to >>>>>>>>>> cache >>>>>>>>>> stuff to give to WinPCAP after the fact. >>>>>>>>>> >>>>>>>>>> (BTW, the etherXXX file is just the temporary PCAP file that >>>>>>>>>> contains >>>>>>>>>> the >>>>>>>>>> packets that were captured--and what Wireshark displays for you. >>>>>>>>>> The >>>>>>>>>> fact >>>>>>>>>> >>>>>>>>>> that >>>>>>>>>> your password, etc., are in there just indicate that your >>>>>>>>>> password, >>>>>>>>>> etc., >>>>>>>>>> were >>>>>>>>>> sent over the wire unencrypted.) >>>>>>>>>> .............. >>>>>>>>>> What Jeff described is what I expected but I believe that I >>>>>>>>>> understand >>>>>>>>>> now what I am seeing. WS does its own DNS. So, that explains the >>>>>>>>>> first question. >>>>>>>>>> >>>>>>>>>> The second issue, however, is still a big concern. The etherXXXXa >>>>>>>>>> file always contains the complete (passwords included) >>>>>>>>>> authentication >>>>>>>>>> data plus more. Again, this unsaved (by me) login information was >>>>>>>>>> sent over the wire in the past (PPP PAP), yet it is being saved >>>>>>>>>> (by >>>>>>>>>> ?) >>>>>>>>>> and put into this file in the present. How can I prevent this >>>>>>>>>> login >>>>>>>>>> info from being saved? How can I encrypt this login info? This is >>>>>>>>>> >>>>>>>>>> a >>>>>>>>>> security risk. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> All that is necessary for evil to succeed is that good men do >>>>>>>>>> nothing. >>>>>>>>>> >>>>>>>>>> ~Edmund Burke >>>>>>>>>> ___________________________________________________________________________ >>>>>>>>>> Sent via: Wireshark-users mailing list >>>>>>>>>> <wireshark-users@xxxxxxxxxxxxx> >>>>>>>>>> Archives: http://www.wireshark.org/lists/wireshark-users >>>>>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >>>>>>>>>> >>>>>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >>>>>>>>> >>>>>>>>> ___________________________________________________________________________ >>>>>>>>> Sent via: Wireshark-users mailing list >>>>>>>>> <wireshark-users@xxxxxxxxxxxxx> >>>>>>>>> Archives: http://www.wireshark.org/lists/wireshark-users >>>>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >>>>>>>>> >>>>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> All that is necessary for evil to succeed is that good men do >>>>>>>> nothing. >>>>>>>> >>>>>>>> ~Edmund Burke >>>>>>>> ___________________________________________________________________________ >>>>>>>> Sent via: Wireshark-users mailing list >>>>>>>> <wireshark-users@xxxxxxxxxxxxx> >>>>>>>> Archives: http://www.wireshark.org/lists/wireshark-users >>>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >>>>>>>> >>>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >>>>>>> >>>>>>> ___________________________________________________________________________ >>>>>>> Sent via: Wireshark-users mailing list >>>>>>> <wireshark-users@xxxxxxxxxxxxx> >>>>>>> Archives: http://www.wireshark.org/lists/wireshark-users >>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >>>>>>> >>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> All that is necessary for evil to succeed is that good men do nothing. >>>>>> >>>>>> ~Edmund Burke >>>>>> ___________________________________________________________________________ >>>>>> Sent via: Wireshark-users mailing list >>>>>> <wireshark-users@xxxxxxxxxxxxx> >>>>>> Archives: http://www.wireshark.org/lists/wireshark-users >>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >>>>>> >>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >>>>> >>>>> ___________________________________________________________________________ >>>>> Sent via: Wireshark-users mailing list >>>>> <wireshark-users@xxxxxxxxxxxxx> >>>>> Archives: http://www.wireshark.org/lists/wireshark-users >>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >>>>> >>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >>>>> >>>> >>>> >>>> -- >>>> All that is necessary for evil to succeed is that good men do nothing. >>>> >>>> ~Edmund Burke >>>> ___________________________________________________________________________ >>>> Sent via: Wireshark-users mailing list >>>> <wireshark-users@xxxxxxxxxxxxx> >>>> Archives: http://www.wireshark.org/lists/wireshark-users >>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >>>> >>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >>> >>> ___________________________________________________________________________ >>> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> >>> Archives: http://www.wireshark.org/lists/wireshark-users >>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >>> >>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >>> >> >> >> -- >> All that is necessary for evil to succeed is that good men do nothing. >> >> ~Edmund Burke >> ___________________________________________________________________________ >> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> >> Archives: http://www.wireshark.org/lists/wireshark-users >> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >> >> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe > > ___________________________________________________________________________ > Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> > Archives: http://www.wireshark.org/lists/wireshark-users > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users > > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe > -- All that is necessary for evil to succeed is that good men do nothing. ~Edmund Burke
- Follow-Ups:
- Re: [Wireshark-users] from the past
- From: Gianluca Varenni
- Re: [Wireshark-users] from the past
- From: Guy Harris
- Re: [Wireshark-users] from the past
- References:
- [Wireshark-users] from the past
- From: M K
- Re: [Wireshark-users] from the past
- From: Gianluca Varenni
- Re: [Wireshark-users] from the past
- From: M K
- Re: [Wireshark-users] from the past
- From: Gianluca Varenni
- Re: [Wireshark-users] from the past
- From: M K
- Re: [Wireshark-users] from the past
- From: Gianluca Varenni
- Re: [Wireshark-users] from the past
- From: M K
- Re: [Wireshark-users] from the past
- From: Gianluca Varenni
- Re: [Wireshark-users] from the past
- From: M K
- Re: [Wireshark-users] from the past
- From: Gianluca Varenni
- [Wireshark-users] from the past
- Prev by Date: Re: [Wireshark-users] from the past
- Next by Date: Re: [Wireshark-users] from the past
- Previous by thread: Re: [Wireshark-users] from the past
- Next by thread: Re: [Wireshark-users] from the past
- Index(es):
- Get Wireshark
- Download
- Code of Conduct