Wireshark-users: Re: [Wireshark-users] from the past
From: M K <gedropi@xxxxxxxxx>
Date: Wed, 24 Mar 2010 13:29:55 -0800
Closer to #2. The etherXXXX file is only created when I start a WS capture. It is apparent to me now that this tmp file is pretty identical to the capture inside WS. OK. But, I guess this exercise still brings home the problem of who is (off and on) pulling my password information, from where and where is it going? I know this isn't a WS problem. WS was only doing its job. About the transfer of authentication data, why isn't it encrypted? What can I do to make this happen? It doesn't do a lick of good to harden your computer if your authentication data is all over the place in clear text. Thanks On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote: > Now I'm a bit confused (I'm probably missing something here). In your > original email you said > >>>>>>>>>>>> The second issue, however, is still a big concern. The >>>>>>>>>>>> etherXXXXa >>>>>>>>>>>> file always contains the complete (passwords included) >>>>>>>>>>>> authentication >>>>>>>>>>>> data plus more. Again, this unsaved (by me) login information >>>>>>>>>>>> was >>>>>>>>>>>> sent over the wire in the past (PPP PAP), yet it is being saved >>>>>>>>>>>> (by >>>>>>>>>>>> ?) >>>>>>>>>>>> and put into this file in the present. How can I prevent this >>>>>>>>>>>> login >>>>>>>>>>>> info from being saved? How can I encrypt this login info? This >>>>>>>>>>>> is >>>>>>>>>>>> >>>>>>>>>>>> a >>>>>>>>>>>> security risk. > > I don't understand if > > 1. the file etherXXXX "magically" appears even when you do not start > wireshark and you do not start a capture > > or > > 2. you do open wireshark and start a capture (in this case wireshark does > create an etherXXXX file), and you see packets containing your username and > password (and other sensitive data) that were exchanged with your ISP/proxy > *well before* you started to capture with wireshark. > > Which one is the right one? > > GV > > > > > > -------------------------------------------------- > From: "M K" <gedropi@xxxxxxxxx> > Sent: Wednesday, March 24, 2010 1:48 PM > To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx> > Subject: Re: [Wireshark-users] from the past > >> The etherXXXX file is only a tmp file written in hex. I believe that >> it would be impossible to open within WS because the only time the >> ethernet file exists is when you are already in the middle of a >> capture. And it vanishes when you stop the capture or shut down WS, I >> believe. Opening another file while performing a capture is not >> enabled. Unless if you had multiple instances of WS perhaps. >> >> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote: >>> >>> >>> -------------------------------------------------- >>> From: "M K" <gedropi@xxxxxxxxx> >>> Sent: Wednesday, March 24, 2010 1:29 PM >>> To: "Community support list for Wireshark" >>> <wireshark-users@xxxxxxxxxxxxx> >>> Subject: Re: [Wireshark-users] from the past >>> >>>> The WS capture file does have time stamps. The etherXXXXa file lives >>>> at: \Documents and Settings\Administrator\Local Settings\Temp within >>>> Windows. This tmp file does not appear to have obvious timestamps. >>>> Machine name, Administrator User name, packet source/dest and at >>>> times, also the passwords to Windows and ISP. >>> >>> Wait... is this a pcap file or not? Can you open it with wireshark? >>> >>> Have a nice day >>> GV >>> >>> >>>> >>>> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote: >>>>> >>>>> >>>>> -------------------------------------------------- >>>>> From: "M K" <gedropi@xxxxxxxxx> >>>>> Sent: Wednesday, March 24, 2010 12:45 PM >>>>> To: "Community support list for Wireshark" >>>>> <wireshark-users@xxxxxxxxxxxxx> >>>>> Subject: Re: [Wireshark-users] from the past >>>>> >>>>>> Sorry. I got called away. >>>>>> >>>>>> The etherXXXX tmp file doesn't appear to have timestamps. But within >>>>> >>>>> If it's a valid capture file, the packets must have a timestamp, if you >>>>> open >>>>> the file with wireshark. >>>>> >>>>> GV >>>>> >>>>> >>>>>> WS, the LLC (Layer 2) & PPP LCP protocols are the first protocols to >>>>>> show up in the trace at the time the login info is captured inside the >>>>>> tmp file. >>>>>> >>>>>> I suspect that this info is being passed to the tmp file. Possible >>>>>> suspects: the OS or networking appliances. >>>>>> >>>>>> Yes, the interface is: Adapter for generic dialup and VPN >>>>>> >>>>>> And thanks for this feedback and help. >>>>>> >>>>>> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote: >>>>>>> You didn't answer my questions: >>>>>>> >>>>>>> 1. what is the timestamp of those packets? >>>>>>> 2. what interface are you capturing from? >>>>>>> >>>>>>> Are capturing from what is called "Adapter for generic dialup and VPN >>>>>>> capture"? >>>>>>> >>>>>>> Have a nice day >>>>>>> GV >>>>>>> >>>>>>> >>>>>>> >>>>>>> -------------------------------------------------- >>>>>>> From: "M K" <gedropi@xxxxxxxxx> >>>>>>> Sent: Wednesday, March 24, 2010 9:25 AM >>>>>>> To: "Community support list for Wireshark" >>>>>>> <wireshark-users@xxxxxxxxxxxxx> >>>>>>> Subject: Re: [Wireshark-users] from the past >>>>>>> >>>>>>>> That is exactly what I am doing. I log onto my Windows machine, >>>>>>>> then >>>>>>>> my ISP, then my proxy. Then maybe go to a few websites, for >>>>>>>> example. >>>>>>>> Then maybe after a half hour, I may then start up a WS capture. >>>>>>>> Still, even after all that time between logons and actually starting >>>>>>>> >>>>>>>> a >>>>>>>> capture, the etherXXXXa tmp file still contains this private info. >>>>>>>> >>>>>>>> According to Jeff, the etherXXXXa file only captures what is not >>>>>>>> encrypted. That makes this even more scary. That means that not >>>>>>>> only >>>>>>>> is the info being captured but it isn't even being protected by even >>>>>>>> low-grade encryption. >>>>>>>> >>>>>>>> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> -------------------------------------------------- >>>>>>>>> From: "M K" <gedropi@xxxxxxxxx> >>>>>>>>> Sent: Wednesday, March 24, 2010 9:11 AM >>>>>>>>> To: "Community support list for Wireshark" >>>>>>>>> <wireshark-users@xxxxxxxxxxxxx> >>>>>>>>> Subject: Re: [Wireshark-users] from the past >>>>>>>>> >>>>>>>>>> That is the question. I am saying that some program (?) is >>>>>>>>>> capturing >>>>>>>>>> my unsaved login info. Then at a later point, when I start a WS >>>>>>>>>> capture, that login info from the past is put into that >>>>>>>>>> EtherxXXXXa >>>>>>>>>> tmp file. >>>>>>>>> >>>>>>>>> What happens if you log into your ISP and proxy, wait let's say 5 >>>>>>>>> minutes >>>>>>>>> and then start wireshark? Do those packets still show up? what is >>>>>>>>> their >>>>>>>>> tiemstamp? >>>>>>>>> >>>>>>>>> GV >>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> >>>>>>>>>> wrote: >>>>>>>>>>> Are you saying that when you start Wireshark, wireshark itself >>>>>>>>>>> starts >>>>>>>>>>> capturing, *before* you click the start capture button on it? >>>>>>>>>>> Which adapter is wireshark capturing from? >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Have a nice day >>>>>>>>>>> GV >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -------------------------------------------------- >>>>>>>>>>> From: "M K" <gedropi@xxxxxxxxx> >>>>>>>>>>> Sent: Wednesday, March 24, 2010 8:12 AM >>>>>>>>>>> To: <wireshark-users@xxxxxxxxxxxxx> >>>>>>>>>>> Subject: [Wireshark-users] from the past >>>>>>>>>>> >>>>>>>>>>>> Jeff Morriss suggested that I pose this question to you folks. >>>>>>>>>>>> >>>>>>>>>>>> Here is what I wrote: >>>>>>>>>>>> First: >>>>>>>>>>>> I first log onto Windows machine >>>>>>>>>>>> I log onto my Isp >>>>>>>>>>>> I log into my proxy >>>>>>>>>>>> Maybe do a few things online (eg. go to a few websites) >>>>>>>>>>>> Then log into Wireshark >>>>>>>>>>>> >>>>>>>>>>>> Next: >>>>>>>>>>>> When launching WS, immediately the capture starts a DNS >>>>>>>>>>>> authentication >>>>>>>>>>>> trace >>>>>>>>>>>> and an etherXXXXa* file with Windows & ISP usernames AND >>>>>>>>>>>> passwords >>>>>>>>>>>> is >>>>>>>>>>>> created. >>>>>>>>>>>> Since I expect WS to be literal, I would expect that those >>>>>>>>>>>> actions >>>>>>>>>>>> that >>>>>>>>>>>> had >>>>>>>>>>>> taken place in the past (logons & DNS authentication) would not >>>>>>>>>>>> be >>>>>>>>>>>> captured >>>>>>>>>>>> since WS had not been started when I logged on. That means that >>>>>>>>>>>> this >>>>>>>>>>>> information is being cached or worse somewhere. For my peace of >>>>>>>>>>>> mind, >>>>>>>>>>>> please >>>>>>>>>>>> can you tell me about this security issue? Thank you. >>>>>>>>>>>> ...................... >>>>>>>>>>>> >>>>>>>>>>>> Here is what Jeff wrote: >>>>>>>>>>>> Anyway, a brief answer: Wireshark on Windows relies on WinPCAP >>>>>>>>>>>> to >>>>>>>>>>>> do >>>>>>>>>>>> the >>>>>>>>>>>> capturing. I'm pretty sure WinPCAP won't start capturing until >>>>>>>>>>>> you >>>>>>>>>>>> ask >>>>>>>>>>>> it >>>>>>>>>>>> >>>>>>>>>>>> to >>>>>>>>>>>> do so. And I'm pretty sure that the OS's TCP/IP stack isn't >>>>>>>>>>>> going >>>>>>>>>>>> to >>>>>>>>>>>> cache >>>>>>>>>>>> stuff to give to WinPCAP after the fact. >>>>>>>>>>>> >>>>>>>>>>>> (BTW, the etherXXX file is just the temporary PCAP file that >>>>>>>>>>>> contains >>>>>>>>>>>> the >>>>>>>>>>>> packets that were captured--and what Wireshark displays for you. >>>>>>>>>>>> The >>>>>>>>>>>> fact >>>>>>>>>>>> >>>>>>>>>>>> that >>>>>>>>>>>> your password, etc., are in there just indicate that your >>>>>>>>>>>> password, >>>>>>>>>>>> etc., >>>>>>>>>>>> were >>>>>>>>>>>> sent over the wire unencrypted.) >>>>>>>>>>>> .............. >>>>>>>>>>>> What Jeff described is what I expected but I believe that I >>>>>>>>>>>> understand >>>>>>>>>>>> now what I am seeing. WS does its own DNS. So, that explains >>>>>>>>>>>> the >>>>>>>>>>>> first question. >>>>>>>>>>>> >>>>>>>>>>>> The second issue, however, is still a big concern. The >>>>>>>>>>>> etherXXXXa >>>>>>>>>>>> file always contains the complete (passwords included) >>>>>>>>>>>> authentication >>>>>>>>>>>> data plus more. Again, this unsaved (by me) login information >>>>>>>>>>>> was >>>>>>>>>>>> sent over the wire in the past (PPP PAP), yet it is being saved >>>>>>>>>>>> (by >>>>>>>>>>>> ?) >>>>>>>>>>>> and put into this file in the present. How can I prevent this >>>>>>>>>>>> login >>>>>>>>>>>> info from being saved? How can I encrypt this login info? This >>>>>>>>>>>> is >>>>>>>>>>>> >>>>>>>>>>>> a >>>>>>>>>>>> security risk. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> All that is necessary for evil to succeed is that good men do >>>>>>>>>>>> nothing. >>>>>>>>>>>> >>>>>>>>>>>> ~Edmund Burke >>>>>>>>>>>> ___________________________________________________________________________ >>>>>>>>>>>> Sent via: Wireshark-users mailing list >>>>>>>>>>>> <wireshark-users@xxxxxxxxxxxxx> >>>>>>>>>>>> Archives: http://www.wireshark.org/lists/wireshark-users >>>>>>>>>>>> Unsubscribe: >>>>>>>>>>>> https://wireshark.org/mailman/options/wireshark-users >>>>>>>>>>>> >>>>>>>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >>>>>>>>>>> >>>>>>>>>>> ___________________________________________________________________________ >>>>>>>>>>> Sent via: Wireshark-users mailing list >>>>>>>>>>> <wireshark-users@xxxxxxxxxxxxx> >>>>>>>>>>> Archives: http://www.wireshark.org/lists/wireshark-users >>>>>>>>>>> Unsubscribe: >>>>>>>>>>> https://wireshark.org/mailman/options/wireshark-users >>>>>>>>>>> >>>>>>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> All that is necessary for evil to succeed is that good men do >>>>>>>>>> nothing. >>>>>>>>>> >>>>>>>>>> ~Edmund Burke >>>>>>>>>> ___________________________________________________________________________ >>>>>>>>>> Sent via: Wireshark-users mailing list >>>>>>>>>> <wireshark-users@xxxxxxxxxxxxx> >>>>>>>>>> Archives: http://www.wireshark.org/lists/wireshark-users >>>>>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >>>>>>>>>> >>>>>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >>>>>>>>> >>>>>>>>> ___________________________________________________________________________ >>>>>>>>> Sent via: Wireshark-users mailing list >>>>>>>>> <wireshark-users@xxxxxxxxxxxxx> >>>>>>>>> Archives: http://www.wireshark.org/lists/wireshark-users >>>>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >>>>>>>>> >>>>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> All that is necessary for evil to succeed is that good men do >>>>>>>> nothing. >>>>>>>> >>>>>>>> ~Edmund Burke >>>>>>>> ___________________________________________________________________________ >>>>>>>> Sent via: Wireshark-users mailing list >>>>>>>> <wireshark-users@xxxxxxxxxxxxx> >>>>>>>> Archives: http://www.wireshark.org/lists/wireshark-users >>>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >>>>>>>> >>>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >>>>>>> >>>>>>> ___________________________________________________________________________ >>>>>>> Sent via: Wireshark-users mailing list >>>>>>> <wireshark-users@xxxxxxxxxxxxx> >>>>>>> Archives: http://www.wireshark.org/lists/wireshark-users >>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >>>>>>> >>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> All that is necessary for evil to succeed is that good men do nothing. >>>>>> >>>>>> ~Edmund Burke >>>>>> ___________________________________________________________________________ >>>>>> Sent via: Wireshark-users mailing list >>>>>> <wireshark-users@xxxxxxxxxxxxx> >>>>>> Archives: http://www.wireshark.org/lists/wireshark-users >>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >>>>>> >>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >>>>> >>>>> ___________________________________________________________________________ >>>>> Sent via: Wireshark-users mailing list >>>>> <wireshark-users@xxxxxxxxxxxxx> >>>>> Archives: http://www.wireshark.org/lists/wireshark-users >>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >>>>> >>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >>>>> >>>> >>>> >>>> -- >>>> All that is necessary for evil to succeed is that good men do nothing. >>>> >>>> ~Edmund Burke >>>> ___________________________________________________________________________ >>>> Sent via: Wireshark-users mailing list >>>> <wireshark-users@xxxxxxxxxxxxx> >>>> Archives: http://www.wireshark.org/lists/wireshark-users >>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >>>> >>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >>> >>> ___________________________________________________________________________ >>> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> >>> Archives: http://www.wireshark.org/lists/wireshark-users >>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >>> >>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >>> >> >> >> -- >> All that is necessary for evil to succeed is that good men do nothing. >> >> ~Edmund Burke >> ___________________________________________________________________________ >> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> >> Archives: http://www.wireshark.org/lists/wireshark-users >> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >> >> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe > > ___________________________________________________________________________ > Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> > Archives: http://www.wireshark.org/lists/wireshark-users > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users > > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe > -- All that is necessary for evil to succeed is that good men do nothing. ~Edmund Burke
- Follow-Ups:
- Re: [Wireshark-users] from the past
- From: Martin Visser
- Re: [Wireshark-users] from the past
- References:
- [Wireshark-users] from the past
- From: M K
- Re: [Wireshark-users] from the past
- From: Gianluca Varenni
- Re: [Wireshark-users] from the past
- From: M K
- Re: [Wireshark-users] from the past
- From: Gianluca Varenni
- Re: [Wireshark-users] from the past
- From: M K
- Re: [Wireshark-users] from the past
- From: Gianluca Varenni
- Re: [Wireshark-users] from the past
- From: M K
- Re: [Wireshark-users] from the past
- From: Gianluca Varenni
- Re: [Wireshark-users] from the past
- From: M K
- Re: [Wireshark-users] from the past
- From: Gianluca Varenni
- [Wireshark-users] from the past
- Prev by Date: [Wireshark-users] Strange capture file
- Next by Date: Re: [Wireshark-users] mergecap doesn't merge
- Previous by thread: Re: [Wireshark-users] from the past
- Next by thread: Re: [Wireshark-users] from the past
- Index(es):
- Get Wireshark
- Download
- Code of Conduct