ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online

Wireshark-users: Re: [Wireshark-users] One IP-Port pair missing in the pcap file

From: vishal borkar <weeshalll@xxxxxxxxx>
Date: Thu, 25 Mar 2010 09:12:30 +0530
Accepted that the SIP data might be encrypted.but the frames that you mentioned 
(NO 406 onwards  ) do not carry the actual SIP data. If you see closely the SIP data 
is travelling in SSL packets (Frame no 422 onwards).All of it seems to be plain text.
And my IP and port is nowhere to be seen in those packets.So my problem still persists.

Thanks and regards,
Vishal.

On Thu, Mar 25, 2010 at 12:30 AM, <wireshark-users-request@xxxxxxxxxxxxx> wrote:
Send Wireshark-users mailing list submissions to
       wireshark-users@xxxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
       https://wireshark.org/mailman/listinfo/wireshark-users
or, via email, send a message with subject or body 'help' to
       wireshark-users-request@xxxxxxxxxxxxx

You can reach the person managing the list at
       wireshark-users-owner@xxxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Wireshark-users digest..."


Today's Topics:

  1. from the past (M K)
  2. RSL over LAPD over UDP not parsed (Christian de Waal)
  3. Re: Using LTE-MAC over UDP heuristic (Martin Mathieson)
  4. Re: from the past (Gianluca Varenni)
  5. Re: One IP-Port pair missing in the pcap file (Robert D. Scott)
  6. Re: W2000 SP4 Wireshark 1.2.6 and 1.3.3 do not work
     (Graham Bloice)
  7. Re: from the past (M K)
  8. Re: from the past (Gianluca Varenni)
  9. Re: from the past (M K)
 10. Re: from the past (Graham Bloice)
 11. Re: Link error on the Wireshark website (Gerald Combs)
 12. Re: from the past (Jeff Morriss)
 13. Re: W2000 SP4 Wireshark 1.2.6 and 1.3.3 do not work (Gerald Combs)
 14. Re: from the past (M K)
 15. Re: from the past (M K)
 16. Re: Upgraded wireshark to 1.2.6 but       nowold  pcapfiles cannot
     be read (Kok-Yong Tan)
 17. Re: from the past (Graham Bloice)
 18. Re: from the past (Gianluca Varenni)


----------------------------------------------------------------------

Message: 1
Date: Wed, 24 Mar 2010 07:12:12 -0800
From: M K <gedropi@xxxxxxxxx>
Subject: [Wireshark-users] from the past
To: wireshark-users@xxxxxxxxxxxxx
Message-ID:
       <b4ea502d1003240812r2154329er31101204b1f1a181@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1

Jeff Morriss suggested that I pose this question to you folks.

Here is what I wrote:
First:
I first log onto Windows machine
I log onto my Isp
I log into my proxy
Maybe do a few things online (eg. go to a few websites)
Then log into Wireshark

Next:
When launching WS, immediately the capture starts a DNS authentication trace
and an etherXXXXa* file with Windows & ISP usernames AND passwords is created.
Since I expect WS to be literal, I would expect that those actions that had
taken place in the past (logons & DNS authentication) would not be  captured
since WS had not been started when I logged on.  That means that this
information is being cached or worse somewhere.  For my peace of mind, please
can you tell me about this security issue?  Thank you.
......................

Here is what Jeff wrote:
Anyway, a brief answer: Wireshark on Windows relies on WinPCAP to do the
capturing.  I'm pretty sure WinPCAP won't start capturing until you ask it to
do so.  And I'm pretty sure that the OS's TCP/IP stack isn't going to cache
stuff to give to WinPCAP after the fact.

(BTW, the etherXXX file is just the temporary PCAP file that contains the
packets that were captured--and what Wireshark displays for you.  The fact that
your password, etc., are in there just indicate that your password, etc., were
sent over the wire unencrypted.)
..............
What Jeff described is what I expected but I believe that I understand
now what I am seeing.  WS does its own DNS.  So, that explains the
first question.

The second issue, however, is still a big concern.  The etherXXXXa
file always contains the complete (passwords included) authentication
data plus more.  Again, this unsaved (by me) login information was
sent over the wire in the past (PPP PAP), yet it is being saved (by ?)
and put into this file in the present. How can I prevent this login
info from being saved?  How can I encrypt this login info? This is a
security risk.


--
All that is necessary for evil to succeed is that good men do nothing.

             ~Edmund Burke


------------------------------

Message: 2
Date: Wed, 24 Mar 2010 16:49:49 +0100
From: Christian de Waal <Christian.deWaal@xxxxxxxxxxx>
Subject: [Wireshark-users] RSL over LAPD over UDP not parsed
To: "wireshark-users@xxxxxxxxxxxxx" <wireshark-users@xxxxxxxxxxxxx>
Message-ID:
       <5A42207526F4F34C96C3A06F876FA54703892F2395@xxxxxxxxxxxxxxxxxx.local>
Content-Type: text/plain; charset="us-ascii"

Dear all,

I have some tcpdump traces where I am very sure that the protocol stack used is RSL over LAPD over UDP. However, the RSL over LAPD part is not parsed by Wireshark, but only displayed as hex data. I have tried to find some configuration possibility to manually assign LAPD to the non standard UDP port number which is used in this case, but I failed.

Therefore my question, can I somehow configure Wireshark to parse LAPD and RSL inside the UDP packets? If this is not possible configuration-wise, could someone point me to the places in the source code where I would have to make changes to "hard code" this protocol stack into a special Wireshark version which I could use specifically for these traces only?

Thanks a lot in advance for your help!

BR,
Christian de Waal



[cid:[email protected]]
______________________________
Christian de Waal - Value Added Service IP Engineer

Tel:    +49 (211) 5423 5006
Mobil:  +49 (1577) 540 5006
Fax:    +49 (211) 5423 5099
E-Mail: christian.dewaal@xxxxxxxxxxx
Web:    http://www.onephone.de<http://www.onephone.de/>

OnePhone Deutschland GmbH
D?sseldorfer Str.16
40699 Erkrath, Deutschland

Gesch?ftsf?hrer: Marc Mauermann
Sitz der Gesellschaft: Erkrath, D?sseldorfer Str.16, D-40699 Erkrath
HRB 21674 Wuppertal

[cid:[email protected]] Think green! Please consider the environment before printing this email.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.wireshark.org/lists/wireshark-users/attachments/20100324/38a9f3a3/attachment.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: [email protected]
Type: image/jpeg
Size: 3042 bytes
Desc: [email protected]
Url : http://www.wireshark.org/lists/wireshark-users/attachments/20100324/38a9f3a3/attachment.jpeg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: [email protected]
Type: image/gif
Size: 1100 bytes
Desc: [email protected]
Url : http://www.wireshark.org/lists/wireshark-users/attachments/20100324/38a9f3a3/attachment.gif

------------------------------

Message: 3
Date: Wed, 24 Mar 2010 15:59:54 +0000
From: Martin Mathieson <martin.r.mathieson@xxxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] Using LTE-MAC over UDP heuristic
To: Community support list for Wireshark
       <wireshark-users@xxxxxxxxxxxxx>
Message-ID:
       <7b8c30e41003240859l2d917edkbc33689c37c33a7e@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

Hi Raju,
The UDP heuristic dissector isn't for use with dct2000 (now known as
IxCatapult) .out files, its a separate way to supply the MAC dissector with
the info it needs.

There is a sample C problem linked from the MAC-LTE wiki page that will send
MAC frames over UDP with the header format that the heuristic dissector
understands.
- that program can send frames to a given machine name or IP address, where
Wireshark can capture those UDP frames in the normal way
- there is a pattern on the front of the UDP payload that matches what the
heuristic dissector is check for
- it parses the UDP framing info to get the context the MAC-LTE dissector
needs in order to fully decode the frame that follows

The program is BSD licensed, and the intention was that you could build this
functionality into your equipment that deals with MAC frames and configure
it to send to a machine running Wireshark.

The alternative is to have Wireshark understand MAC frames from a special
file format, which is what I did with our .out files.  I wouldn't recommend
you try to use the .out file format if you're not using IxCatapult
equipment.

Hope this helps,
Martin


On Wed, Mar 24, 2010 at 12:06 PM, Raju Udava <raju.us@gmail.com> wrote:

> Hi,
>
> This is what I tried out, but wasnt able to see MAC parsed information:
>
> a) Enabled mac-lte protocol option in "Enabled Protocols"
> b) Enabled "Try heuristic sub-dissectors first" option for UDP
> c) Created a .out file using text2pcap, with dummy UDP header.
> d) UDP paylaod was started with "mac-lte" tag followed by information as
> specified in packet-mac-lte.h
>
> When I opened the output file on wireshark, I couldn't see MAC protocol
> information & packet was still being displayed as UDP.
> Please let me know if I need to use any specific UDP ports? or If I am
> missing out to enable any option?
> If anyone has sample catapult 2000 file for MAC-LTE, please post.
>
> ===
>
> input.txt
> 000000 6d 61 63 2d 6c 74 65 01 00 03 01 21 02 1f 00 10 00 00 00 00
>
> text2pcap.exe -u 99,99 input.txt output.txt
>
> Opened output.txt in wireshark. It was showing just as a normal packet.
>
> ===
>
> Thanks in advance.
>
> --
> Regards,
> Raju Udava
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request@xxxxxxxxxxxxx
> ?subject=unsubscribe
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.wireshark.org/lists/wireshark-users/attachments/20100324/2b4925e0/attachment.htm

------------------------------

Message: 4
Date: Wed, 24 Mar 2010 09:01:13 -0700
From: "Gianluca Varenni" <gianluca.varenni@xxxxxxxxxxxx>
Subject: Re: [Wireshark-users] from the past
To: <wireshark-users@xxxxxxxxxxxxx>
Message-ID: <BDFABABCB81F4453AE99371222CDB513@NELSON3>
Content-Type: text/plain; format=flowed; charset="iso-8859-1";
       reply-type=original

Are you saying that when you start Wireshark, wireshark itself starts
capturing, *before* you click the start capture button on it?
Which adapter is wireshark capturing from?


Have a nice day
GV


--------------------------------------------------
From: "M K" <gedropi@xxxxxxxxx>
Sent: Wednesday, March 24, 2010 8:12 AM
To: <wireshark-users@xxxxxxxxxxxxx>
Subject: [Wireshark-users] from the past

> Jeff Morriss suggested that I pose this question to you folks.
>
> Here is what I wrote:
> First:
> I first log onto Windows machine
> I log onto my Isp
> I log into my proxy
> Maybe do a few things online (eg. go to a few websites)
> Then log into Wireshark
>
> Next:
> When launching WS, immediately the capture starts a DNS authentication
> trace
> and an etherXXXXa* file with Windows & ISP usernames AND passwords is
> created.
> Since I expect WS to be literal, I would expect that those actions that
> had
> taken place in the past (logons & DNS authentication) would not be
> captured
> since WS had not been started when I logged on.  That means that this
> information is being cached or worse somewhere.  For my peace of mind,
> please
> can you tell me about this security issue?  Thank you.
> ......................
>
> Here is what Jeff wrote:
> Anyway, a brief answer: Wireshark on Windows relies on WinPCAP to do the
> capturing.  I'm pretty sure WinPCAP won't start capturing until you ask it
> to
> do so.  And I'm pretty sure that the OS's TCP/IP stack isn't going to
> cache
> stuff to give to WinPCAP after the fact.
>
> (BTW, the etherXXX file is just the temporary PCAP file that contains the
> packets that were captured--and what Wireshark displays for you.  The fact
> that
> your password, etc., are in there just indicate that your password, etc.,
> were
> sent over the wire unencrypted.)
> ..............
> What Jeff described is what I expected but I believe that I understand
> now what I am seeing.  WS does its own DNS.  So, that explains the
> first question.
>
> The second issue, however, is still a big concern.  The etherXXXXa
> file always contains the complete (passwords included) authentication
> data plus more.  Again, this unsaved (by me) login information was
> sent over the wire in the past (PPP PAP), yet it is being saved (by ?)
> and put into this file in the present. How can I prevent this login
> info from being saved?  How can I encrypt this login info? This is a
> security risk.
>
>
> --
> All that is necessary for evil to succeed is that good men do nothing.
>
>              ~Edmund Burke
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe



------------------------------

Message: 5
Date: Wed, 24 Mar 2010 12:06:15 -0400
From: "Robert D. Scott" <robert@xxxxxxx>
Subject: Re: [Wireshark-users] One IP-Port pair missing in the pcap
       file
To: "'Community support list for Wireshark'"
       <wireshark-users@xxxxxxxxxxxxx>
Message-ID: <005d01cacb6b$ee616560$cb243020$@edu>
Content-Type: text/plain;       charset="us-ascii"

It looks like your session initiation is encrypted (Begin Frame 406).
Immediately after DNS query voipb.sip.yahoo.com (Frames 397 - 398) with
answers in (Frames 403 -405). You will not be able to decrypt any of the
setup exchange. :(

Robert D. Scott                 Robert@xxxxxxx
Senior Network Engineer         352-273-0113 Phone
CNS - Network Services          352-392-2061 CNS Phone Tree
University of Florida           352-392-9440 FAX
Florida Lambda Rail             352-294-3571 FLR NOC
Gainesville, FL  32611          321-663-0421 Cell


-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of vishal borkar
Sent: Wednesday, March 24, 2010 1:28 AM
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] One IP-Port pair missing in the pcap file

Hello all,
I recently captured a yahoo voice communication between my machine and a
friend.
What i observed was that when i opened the file in a text editor i could not
find the port and the IP of my system on which the actual communication took
place.
FYI my ip ( on which the UDP data travelled ):-192.168.0.230 Port(on which
the UDP data travelled ):- 22308

Though i can clearly see the communication happening on this IP-port pair
when i opened the file in Wireshark.
Can anyone tell me as to why this is happening ?
What i mean is aren't the SIP packets supposed to carry this information ?
Since they are not carrying this information then how is the communication
taking place ?
I am attaching the file for your reference.

Thanks in advance,
Vishal





------------------------------

Message: 6
Date: Wed, 24 Mar 2010 16:06:53 +0000
From: Graham Bloice <graham.bloice@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] W2000 SP4 Wireshark 1.2.6 and 1.3.3 do
       not work
To: Mail Box <mailbox@xxxxxxxxxxx>,     Community support list for
       Wireshark <wireshark-users@xxxxxxxxxxxxx>
Message-ID: <4BAA389D.7010002@xxxxxxxxxxxxx>
Content-Type: text/plain; charset="utf-8"

On 23/03/2010 16:47, Mail Box wrote:
> It has already been reported by another user but has been erroneously closed as resolved.
> That is not the case.
> The reported error persists at least on some installations of W2000 SP4.
> Wireshark 1.2.5 works on the same platform.
>
> Error:
> "The procedure entry point getaddrinfo could not be located in the dynamic link
> library W32_32.dll"
>
This call is made from the c-ares library, not wireshark itself.
According to MSDN
(http://msdn.microsoft.com/en-us/library/ms738520%28VS.85%29.aspx, see
blurb near bottom on older versions of Windows) to use this function on
Windows < XP SP2 requires one to include ws2tcpip.h and Wspiapi.h before
using the function.  This then uses an in-line copy of the function if
the system dll doesn't include it.  This would mean building our own
copy of c-ares.

As all MS support for W2K ceases on 13 July 2010
(http://support.microsoft.com/lifecycle/search/default.aspx?sort=PN&alpha=Windows+2000&Filter=FilterNO)
is this worthwhile?

--
Regards,

Graham Bloice

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.wireshark.org/lists/wireshark-users/attachments/20100324/7f197217/attachment.htm

------------------------------

Message: 7
Date: Wed, 24 Mar 2010 08:11:40 -0800
From: M K <gedropi@xxxxxxxxx>
Subject: Re: [Wireshark-users] from the past
To: Community support list for Wireshark
       <wireshark-users@xxxxxxxxxxxxx>
Message-ID:
       <b4ea502d1003240911u5bdb7dfesbad8876663ebb3de@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1

That is the question.  I am saying that some program (?) is capturing
my unsaved login info.  Then at a later point, when I start a WS
capture, that login info from the past is put into that EtherxXXXXa
tmp file.

On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote:
> Are you saying that when you start Wireshark, wireshark itself starts
> capturing, *before* you click the start capture button on it?
> Which adapter is wireshark capturing from?
>
>
> Have a nice day
> GV
>
>
> --------------------------------------------------
> From: "M K" <gedropi@xxxxxxxxx>
> Sent: Wednesday, March 24, 2010 8:12 AM
> To: <wireshark-users@xxxxxxxxxxxxx>
> Subject: [Wireshark-users] from the past
>
>> Jeff Morriss suggested that I pose this question to you folks.
>>
>> Here is what I wrote:
>> First:
>> I first log onto Windows machine
>> I log onto my Isp
>> I log into my proxy
>> Maybe do a few things online (eg. go to a few websites)
>> Then log into Wireshark
>>
>> Next:
>> When launching WS, immediately the capture starts a DNS authentication
>> trace
>> and an etherXXXXa* file with Windows & ISP usernames AND passwords is
>> created.
>> Since I expect WS to be literal, I would expect that those actions that
>> had
>> taken place in the past (logons & DNS authentication) would not be
>> captured
>> since WS had not been started when I logged on.  That means that this
>> information is being cached or worse somewhere.  For my peace of mind,
>> please
>> can you tell me about this security issue?  Thank you.
>> ......................
>>
>> Here is what Jeff wrote:
>> Anyway, a brief answer: Wireshark on Windows relies on WinPCAP to do the
>> capturing.  I'm pretty sure WinPCAP won't start capturing until you ask it
>>
>> to
>> do so.  And I'm pretty sure that the OS's TCP/IP stack isn't going to
>> cache
>> stuff to give to WinPCAP after the fact.
>>
>> (BTW, the etherXXX file is just the temporary PCAP file that contains the
>> packets that were captured--and what Wireshark displays for you.  The fact
>>
>> that
>> your password, etc., are in there just indicate that your password, etc.,
>> were
>> sent over the wire unencrypted.)
>> ..............
>> What Jeff described is what I expected but I believe that I understand
>> now what I am seeing.  WS does its own DNS.  So, that explains the
>> first question.
>>
>> The second issue, however, is still a big concern.  The etherXXXXa
>> file always contains the complete (passwords included) authentication
>> data plus more.  Again, this unsaved (by me) login information was
>> sent over the wire in the past (PPP PAP), yet it is being saved (by ?)
>> and put into this file in the present. How can I prevent this login
>> info from being saved?  How can I encrypt this login info? This is a
>> security risk.
>>
>>
>> --
>> All that is necessary for evil to succeed is that good men do nothing.
>>
>>              ~Edmund Burke
>> ___________________________________________________________________________
>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>> Archives:    http://www.wireshark.org/lists/wireshark-users
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>
>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>


--
All that is necessary for evil to succeed is that good men do nothing.

             ~Edmund Burke


------------------------------

Message: 8
Date: Wed, 24 Mar 2010 09:16:36 -0700
From: "Gianluca Varenni" <gianluca.varenni@xxxxxxxxxxxx>
Subject: Re: [Wireshark-users] from the past
To: "Community support list for Wireshark"
       <wireshark-users@xxxxxxxxxxxxx>
Message-ID: <98CC46AE61AA488DAE0567FB73F4C52D@NELSON3>
Content-Type: text/plain; format=flowed; charset="iso-8859-1";
       reply-type=original



--------------------------------------------------
From: "M K" <gedropi@xxxxxxxxx>
Sent: Wednesday, March 24, 2010 9:11 AM
To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] from the past

> That is the question.  I am saying that some program (?) is capturing
> my unsaved login info.  Then at a later point, when I start a WS
> capture, that login info from the past is put into that EtherxXXXXa
> tmp file.

What happens if you log into your ISP and proxy, wait let's say 5 minutes
and then start wireshark? Do those packets still show up? what is their
tiemstamp?

GV

>
> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote:
>> Are you saying that when you start Wireshark, wireshark itself starts
>> capturing, *before* you click the start capture button on it?
>> Which adapter is wireshark capturing from?
>>
>>
>> Have a nice day
>> GV
>>
>>
>> --------------------------------------------------
>> From: "M K" <gedropi@xxxxxxxxx>
>> Sent: Wednesday, March 24, 2010 8:12 AM
>> To: <wireshark-users@xxxxxxxxxxxxx>
>> Subject: [Wireshark-users] from the past
>>
>>> Jeff Morriss suggested that I pose this question to you folks.
>>>
>>> Here is what I wrote:
>>> First:
>>> I first log onto Windows machine
>>> I log onto my Isp
>>> I log into my proxy
>>> Maybe do a few things online (eg. go to a few websites)
>>> Then log into Wireshark
>>>
>>> Next:
>>> When launching WS, immediately the capture starts a DNS authentication
>>> trace
>>> and an etherXXXXa* file with Windows & ISP usernames AND passwords is
>>> created.
>>> Since I expect WS to be literal, I would expect that those actions that
>>> had
>>> taken place in the past (logons & DNS authentication) would not be
>>> captured
>>> since WS had not been started when I logged on.  That means that this
>>> information is being cached or worse somewhere.  For my peace of mind,
>>> please
>>> can you tell me about this security issue?  Thank you.
>>> ......................
>>>
>>> Here is what Jeff wrote:
>>> Anyway, a brief answer: Wireshark on Windows relies on WinPCAP to do the
>>> capturing.  I'm pretty sure WinPCAP won't start capturing until you ask
>>> it
>>>
>>> to
>>> do so.  And I'm pretty sure that the OS's TCP/IP stack isn't going to
>>> cache
>>> stuff to give to WinPCAP after the fact.
>>>
>>> (BTW, the etherXXX file is just the temporary PCAP file that contains
>>> the
>>> packets that were captured--and what Wireshark displays for you.  The
>>> fact
>>>
>>> that
>>> your password, etc., are in there just indicate that your password,
>>> etc.,
>>> were
>>> sent over the wire unencrypted.)
>>> ..............
>>> What Jeff described is what I expected but I believe that I understand
>>> now what I am seeing.  WS does its own DNS.  So, that explains the
>>> first question.
>>>
>>> The second issue, however, is still a big concern.  The etherXXXXa
>>> file always contains the complete (passwords included) authentication
>>> data plus more.  Again, this unsaved (by me) login information was
>>> sent over the wire in the past (PPP PAP), yet it is being saved (by ?)
>>> and put into this file in the present. How can I prevent this login
>>> info from being saved?  How can I encrypt this login info? This is a
>>> security risk.
>>>
>>>
>>> --
>>> All that is necessary for evil to succeed is that good men do nothing.
>>>
>>>              ~Edmund Burke
>>> ___________________________________________________________________________
>>> Sent via:    Wireshark-users mailing list
>>> <wireshark-users@xxxxxxxxxxxxx>
>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>
>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>
>> ___________________________________________________________________________
>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>> Archives:    http://www.wireshark.org/lists/wireshark-users
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>
>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>
>
>
> --
> All that is necessary for evil to succeed is that good men do nothing.
>
>              ~Edmund Burke
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe



------------------------------

Message: 9
Date: Wed, 24 Mar 2010 08:25:58 -0800
From: M K <gedropi@xxxxxxxxx>
Subject: Re: [Wireshark-users] from the past
To: Community support list for Wireshark
       <wireshark-users@xxxxxxxxxxxxx>
Message-ID:
       <b4ea502d1003240925v5b833a00vf24ef17885fa2ed2@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1

That is exactly what I am doing.  I log onto my Windows machine, then
my ISP, then my proxy.  Then maybe go to a few websites, for example.
Then maybe after a half hour, I may then start up a WS capture.
Still, even after all that time between logons and actually starting a
capture, the etherXXXXa tmp file still contains this private info.

According to Jeff, the etherXXXXa file only captures what is not
encrypted.  That makes this even more scary.  That means that not only
is the info being captured but it isn't even being protected by even
low-grade encryption.

On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote:
>
>
> --------------------------------------------------
> From: "M K" <gedropi@xxxxxxxxx>
> Sent: Wednesday, March 24, 2010 9:11 AM
> To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
> Subject: Re: [Wireshark-users] from the past
>
>> That is the question.  I am saying that some program (?) is capturing
>> my unsaved login info.  Then at a later point, when I start a WS
>> capture, that login info from the past is put into that EtherxXXXXa
>> tmp file.
>
> What happens if you log into your ISP and proxy, wait let's say 5 minutes
> and then start wireshark? Do those packets still show up? what is their
> tiemstamp?
>
> GV
>
>>
>> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote:
>>> Are you saying that when you start Wireshark, wireshark itself starts
>>> capturing, *before* you click the start capture button on it?
>>> Which adapter is wireshark capturing from?
>>>
>>>
>>> Have a nice day
>>> GV
>>>
>>>
>>> --------------------------------------------------
>>> From: "M K" <gedropi@xxxxxxxxx>
>>> Sent: Wednesday, March 24, 2010 8:12 AM
>>> To: <wireshark-users@xxxxxxxxxxxxx>
>>> Subject: [Wireshark-users] from the past
>>>
>>>> Jeff Morriss suggested that I pose this question to you folks.
>>>>
>>>> Here is what I wrote:
>>>> First:
>>>> I first log onto Windows machine
>>>> I log onto my Isp
>>>> I log into my proxy
>>>> Maybe do a few things online (eg. go to a few websites)
>>>> Then log into Wireshark
>>>>
>>>> Next:
>>>> When launching WS, immediately the capture starts a DNS authentication
>>>> trace
>>>> and an etherXXXXa* file with Windows & ISP usernames AND passwords is
>>>> created.
>>>> Since I expect WS to be literal, I would expect that those actions that
>>>> had
>>>> taken place in the past (logons & DNS authentication) would not be
>>>> captured
>>>> since WS had not been started when I logged on.  That means that this
>>>> information is being cached or worse somewhere.  For my peace of mind,
>>>> please
>>>> can you tell me about this security issue?  Thank you.
>>>> ......................
>>>>
>>>> Here is what Jeff wrote:
>>>> Anyway, a brief answer: Wireshark on Windows relies on WinPCAP to do the
>>>> capturing.  I'm pretty sure WinPCAP won't start capturing until you ask
>>>> it
>>>>
>>>> to
>>>> do so.  And I'm pretty sure that the OS's TCP/IP stack isn't going to
>>>> cache
>>>> stuff to give to WinPCAP after the fact.
>>>>
>>>> (BTW, the etherXXX file is just the temporary PCAP file that contains
>>>> the
>>>> packets that were captured--and what Wireshark displays for you.  The
>>>> fact
>>>>
>>>> that
>>>> your password, etc., are in there just indicate that your password,
>>>> etc.,
>>>> were
>>>> sent over the wire unencrypted.)
>>>> ..............
>>>> What Jeff described is what I expected but I believe that I understand
>>>> now what I am seeing.  WS does its own DNS.  So, that explains the
>>>> first question.
>>>>
>>>> The second issue, however, is still a big concern.  The etherXXXXa
>>>> file always contains the complete (passwords included) authentication
>>>> data plus more.  Again, this unsaved (by me) login information was
>>>> sent over the wire in the past (PPP PAP), yet it is being saved (by ?)
>>>> and put into this file in the present. How can I prevent this login
>>>> info from being saved?  How can I encrypt this login info? This is a
>>>> security risk.
>>>>
>>>>
>>>> --
>>>> All that is necessary for evil to succeed is that good men do nothing.
>>>>
>>>>              ~Edmund Burke
>>>> ___________________________________________________________________________
>>>> Sent via:    Wireshark-users mailing list
>>>> <wireshark-users@xxxxxxxxxxxxx>
>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>
>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>
>>> ___________________________________________________________________________
>>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>
>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>
>>
>>
>> --
>> All that is necessary for evil to succeed is that good men do nothing.
>>
>>              ~Edmund Burke
>> ___________________________________________________________________________
>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>> Archives:    http://www.wireshark.org/lists/wireshark-users
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>
>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>


--
All that is necessary for evil to succeed is that good men do nothing.

             ~Edmund Burke


------------------------------

Message: 10
Date: Wed, 24 Mar 2010 16:37:06 +0000
From: Graham Bloice <graham.bloice@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] from the past
To: Community support list for Wireshark
       <wireshark-users@xxxxxxxxxxxxx>
Message-ID: <4BAA3FB2.3000307@xxxxxxxxxxxxx>
Content-Type: text/plain; charset="utf-8"

On 24/03/2010 16:25, M K wrote:
> That is exactly what I am doing.  I log onto my Windows machine, then
> my ISP, then my proxy.  Then maybe go to a few websites, for example.
> Then maybe after a half hour, I may then start up a WS capture.
> Still, even after all that time between logons and actually starting a
> capture, the etherXXXXa tmp file still contains this private info.
>
> According to Jeff, the etherXXXXa file only captures what is not
> encrypted.  That makes this even more scary.  That means that not only
> is the info being captured but it isn't even being protected by even
> low-grade encryption.
What protocol is carrying this info, might it be POP3?

--
Regards,

Graham Bloice

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.wireshark.org/lists/wireshark-users/attachments/20100324/01f54b5c/attachment.htm

------------------------------

Message: 11
Date: Wed, 24 Mar 2010 09:50:23 -0700
From: Gerald Combs <gerald@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] Link error on the Wireshark website
To: Community support list for Wireshark
       <wireshark-users@xxxxxxxxxxxxx>
Message-ID: <4BAA42CF.6080002@xxxxxxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Munther Hammouri wrote:
> Hello,
>
> It seems that there is a link error on the fedoraproject.org
> <http://fedoraproject.org> website. I was trying to download the Red Hat
> / Fedora Standard package. I clicked on the link to it and I was then
> moved to a page that had the following message:
>
> Fedora Package Database -- Invalid PackageBuild Name
>
> The package build you were linked to (name) does not appear in the
> Package Database. If you received this error from a link on the
> fedoraproject.org <http://fedoraproject.org> website, please report it.
>
>
> Could you please fix this problem or tell me how I can get a Wireshark
> version that would work on Fedora OS.

According to

http://www.fedoraguide.info/index.php?title=Main_Page#How_to_install_network_traffic_analyzer_.28Wireshark.29

you should run "su -c 'yum install wireshark wireshark-gnome'". The link
on the download page should be fixed.


------------------------------

Message: 12
Date: Wed, 24 Mar 2010 13:05:36 -0400
From: Jeff Morriss <jeff.morriss.ws@gmail.com>
Subject: Re: [Wireshark-users] from the past
To: Community support list for Wireshark
       <wireshark-users@xxxxxxxxxxxxx>
Message-ID: <4BAA4660.8090904@xxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

M K wrote:
> That is exactly what I am doing.  I log onto my Windows machine, then
> my ISP, then my proxy.  Then maybe go to a few websites, for example.
> Then maybe after a half hour, I may then start up a WS capture.
> Still, even after all that time between logons and actually starting a
> capture, the etherXXXXa tmp file still contains this private info.
>
> According to Jeff, the etherXXXXa file only captures what is not
> encrypted.  That makes this even more scary.  That means that not only
> is the info being captured but it isn't even being protected by even
> low-grade encryption.

Actually, the etherXXXX file captures everything, even if it is
encrypted.  But you'll only find, for example, your password in plain
text in that file (and in Wireshark's display) if the password is not
encrypted.  (If it were encrypted, your password would not be recognizable.)


------------------------------

Message: 13
Date: Wed, 24 Mar 2010 10:07:17 -0700
From: Gerald Combs <gerald@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] W2000 SP4 Wireshark 1.2.6 and 1.3.3 do
       not work
To: Community support list for Wireshark
       <wireshark-users@xxxxxxxxxxxxx>
Message-ID: <4BAA46C5.4030801@xxxxxxxxxxxxx>
Content-Type: text/plain; charset=UTF-8; format=flowed

Graham Bloice wrote:
> On 23/03/2010 16:47, Mail Box wrote:
>> It has already been reported by another user but has been erroneously closed as resolved.
>> That is not the case.
>> The reported error persists at least on some installations of W2000 SP4.
>> Wireshark 1.2.5 works on the same platform.
>>
>> Error:
>> "The procedure entry point getaddrinfo could not be located in the dynamic link
>> library W32_32.dll"
>>
> This call is made from the c-ares library, not wireshark itself.
> According to MSDN
> (http://msdn.microsoft.com/en-us/library/ms738520%28VS.85%29.aspx, see
> blurb near bottom on older versions of Windows) to use this function on
> Windows < XP SP2 requires one to include ws2tcpip.h and Wspiapi.h before
> using the function.  This then uses an in-line copy of the function if
> the system dll doesn't include it.  This would mean building our own
> copy of c-ares.
>
> As all MS support for W2K ceases on 13 July 2010
> (http://support.microsoft.com/lifecycle/search/default.aspx?sort=PN&alpha=Windows+2000&Filter=FilterNO)
> is this worthwhile?

1.2.7 will restore Windows 2000 support. It is scheduled for release on
March 31. In the meantime you can get a prerelease version from
http://www.wireshark.org/download/prerelease/


------------------------------

Message: 14
Date: Wed, 24 Mar 2010 09:07:44 -0800
From: M K <gedropi@xxxxxxxxx>
Subject: Re: [Wireshark-users] from the past
To: Community support list for Wireshark
       <wireshark-users@xxxxxxxxxxxxx>
Message-ID:
       <b4ea502d1003241007u249da40aj25f3b31937f9e717@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1

No.  There is no POP on this machine.  This is not related to email.
But as far as protocols go...
Logging onto Windows should be just local.  Right?
Logging onto ISP should be PPP PAP protocol; then TCP/UDP.  Right?
Then proxy logon; then  using SSL.

Another issue is that sometimes these are being captured; sometimes
not.  I am not sure what causes that info to be retained.  By its very
nature, since tmp files are temporary, that file disappears.

My question still is what program is causing this retention.  Is this
unencrypted data being transferred?

On 3/24/10, Graham Bloice <graham.bloice@xxxxxxxxxxxxx> wrote:
> On 24/03/2010 16:25, M K wrote:
>> That is exactly what I am doing.  I log onto my Windows machine, then
>> my ISP, then my proxy.  Then maybe go to a few websites, for example.
>> Then maybe after a half hour, I may then start up a WS capture.
>> Still, even after all that time between logons and actually starting a
>> capture, the etherXXXXa tmp file still contains this private info.
>>
>> According to Jeff, the etherXXXXa file only captures what is not
>> encrypted.  That makes this even more scary.  That means that not only
>> is the info being captured but it isn't even being protected by even
>> low-grade encryption.
> What protocol is carrying this info, might it be POP3?
>
> --
> Regards,
>
> Graham Bloice
>
>


--
All that is necessary for evil to succeed is that good men do nothing.

             ~Edmund Burke


------------------------------

Message: 15
Date: Wed, 24 Mar 2010 09:12:35 -0800
From: M K <gedropi@xxxxxxxxx>
Subject: Re: [Wireshark-users] from the past
To: Community support list for Wireshark
       <wireshark-users@xxxxxxxxxxxxx>
Message-ID:
       <b4ea502d1003241012y37fc2d13l7f4c4ef29cb33365@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1

But I expected that the etherXXXXA tmp file would capture
current/realtime traffic, not from the past.

This isn't a criticism of WS.  I know that WS is a literal program.

On 3/24/10, Jeff Morriss <jeff.morriss.ws@gmail.com> wrote:
> M K wrote:
>> That is exactly what I am doing.  I log onto my Windows machine, then
>> my ISP, then my proxy.  Then maybe go to a few websites, for example.
>> Then maybe after a half hour, I may then start up a WS capture.
>> Still, even after all that time between logons and actually starting a
>> capture, the etherXXXXa tmp file still contains this private info.
>>
>> According to Jeff, the etherXXXXa file only captures what is not
>> encrypted.  That makes this even more scary.  That means that not only
>> is the info being captured but it isn't even being protected by even
>> low-grade encryption.
>
> Actually, the etherXXXX file captures everything, even if it is
> encrypted.  But you'll only find, for example, your password in plain
> text in that file (and in Wireshark's display) if the password is not
> encrypted.  (If it were encrypted, your password would not be recognizable.)
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>


--
All that is necessary for evil to succeed is that good men do nothing.

             ~Edmund Burke


------------------------------

Message: 16
Date: Wed, 24 Mar 2010 13:31:06 -0400
From: Kok-Yong Tan <ktan@xxxxxxxxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] Upgraded wireshark to 1.2.6 but  nowold
       pcapfiles cannot be read
To: jpo@xxxxxxxxxxxx,   Community support list for Wireshark
       <wireshark-users@xxxxxxxxxxxxx>
Message-ID: <FC1E1EB4-6537-4ED3-BA12-7F61EB9C9527@xxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed


On Mar 24, 2010, at 02:19, Jose Pedro Oliveira wrote:

> On 2010-03-24 05:32, Kok-Yong Tan wrote:
>>
>> On Mar 24, 2010, at 01:10, Jose Pedro Oliveira wrote:
>>
>>> On 2010-03-24 02:45, Kok-Yong Tan wrote:
>>>
>>>> Any recommendations?  Can I build the version of libz that predates
>>>> this wholesale replacement of gz* functions?  Do you know which one
>>>> that was?
>>>
>>> I had exactly the same problem you described using Wireshark from
>>> MacPorts (and I've built both versions available: 1.2.6 and 1.3.3).
>>>
>>> While I haven't figured out what the problem was, I uninstalled them
>>> and started using the Wireshark MacOSX pre-built binaries instead.
>>> They are available for download here:
>>>
>>>    http://www.wireshark.org/download/osx/
>>>
>>> Note: I'm currently using the 1.3.3 build.
>>
>>
>> Isn't 1.3.3 a developer build?
>
> Yes it is (I've been using it for quite a while now without finding
> any problems) but you can always install the 1.2.6 binaries.
>
> But if really want the latest development release
> you can find it here :)
> http://www.wireshark.org/download/automated/osx/


Many thanks.  But I think I'll stick with the MacPorts distribution
since it builds in a very localized fashion and installs both source,
libraries and executables in an easily removeable location:  /opt.
I've discovered that getting Wireshark to build using the zlib 1.2.3
libraries isn't as horrendously difficult as I'd imagined.  I'll let
everybody know how it goes (it took me a little while to figure out
how to do it as the instructions aren't very clear but my procedure
seemed to work and I'm in mid-build right now).  And I've verified
with the maintainer of the Wireshark port that he, too, had the same
issues and that they went away as soon as he rebuilt his copy using
zlib 1.2.3 instead of zlib 1.2.4.  But I want to test the build for
myself since his rebuild was only on Snow Leopard while mine is on
Snow Leopard, Leopard and Tiger (I have multiple machines and want to
ensure Wireshark works on all those platforms).
--
Reality Artisans, Inc.             #   Network Wrangling and Delousing
P.O. Box 565, Gracie Station       #   Apple Certified Consultant
New York, NY 10028-0019            #   Apple Consultants Network member
<http://www.realityartisans.com>   #   Apple Developer Connection member
(212) 369-4876 (Voice)             #   My PGP public key can be found
at <https://keyserver.pgp.com>






------------------------------

Message: 17
Date: Wed, 24 Mar 2010 17:48:49 +0000
From: Graham Bloice <graham.bloice@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] from the past
To: Community support list for Wireshark
       <wireshark-users@xxxxxxxxxxxxx>
Message-ID: <4BAA5081.8090305@xxxxxxxxxxxxx>
Content-Type: text/plain; charset="utf-8"

On 24/03/2010 17:07, M K wrote:
> No.  There is no POP on this machine.  This is not related to email.
> But as far as protocols go...
> Logging onto Windows should be just local.  Right?
> Logging onto ISP should be PPP PAP protocol; then TCP/UDP.  Right?
> Then proxy logon; then  using SSL.
>
> Another issue is that sometimes these are being captured; sometimes
> not.  I am not sure what causes that info to be retained.  By its very
> nature, since tmp files are temporary, that file disappears.
>
> My question still is what program is causing this retention.  Is this
> unencrypted data being transferred?
>
>
Well can you determine from the tmp capture file (load it into
Wireshark) what protocol is carrying your username and password?
Knowing that may help you determine what is causing the issue.

--
Regards,

Graham Bloice

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.wireshark.org/lists/wireshark-users/attachments/20100324/c7adb73b/attachment.htm

------------------------------

Message: 18
Date: Wed, 24 Mar 2010 10:51:27 -0700
From: "Gianluca Varenni" <gianluca.varenni@xxxxxxxxxxxx>
Subject: Re: [Wireshark-users] from the past
To: "Community support list for Wireshark"
       <wireshark-users@xxxxxxxxxxxxx>
Message-ID: <8293559DDF6D4099BB467847FFD63368@NELSON3>
Content-Type: text/plain; format=flowed; charset="iso-8859-1";
       reply-type=original

You didn't answer my questions:

1. what is the timestamp of those packets?
2. what interface are you capturing from?

Are capturing from what is called "Adapter for generic dialup and VPN
capture"?

Have a nice day
GV



--------------------------------------------------
From: "M K" <gedropi@xxxxxxxxx>
Sent: Wednesday, March 24, 2010 9:25 AM
To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] from the past

> That is exactly what I am doing.  I log onto my Windows machine, then
> my ISP, then my proxy.  Then maybe go to a few websites, for example.
> Then maybe after a half hour, I may then start up a WS capture.
> Still, even after all that time between logons and actually starting a
> capture, the etherXXXXa tmp file still contains this private info.
>
> According to Jeff, the etherXXXXa file only captures what is not
> encrypted.  That makes this even more scary.  That means that not only
> is the info being captured but it isn't even being protected by even
> low-grade encryption.
>
> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote:
>>
>>
>> --------------------------------------------------
>> From: "M K" <gedropi@xxxxxxxxx>
>> Sent: Wednesday, March 24, 2010 9:11 AM
>> To: "Community support list for Wireshark"
>> <wireshark-users@xxxxxxxxxxxxx>
>> Subject: Re: [Wireshark-users] from the past
>>
>>> That is the question.  I am saying that some program (?) is capturing
>>> my unsaved login info.  Then at a later point, when I start a WS
>>> capture, that login info from the past is put into that EtherxXXXXa
>>> tmp file.
>>
>> What happens if you log into your ISP and proxy, wait let's say 5 minutes
>> and then start wireshark? Do those packets still show up? what is their
>> tiemstamp?
>>
>> GV
>>
>>>
>>> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote:
>>>> Are you saying that when you start Wireshark, wireshark itself starts
>>>> capturing, *before* you click the start capture button on it?
>>>> Which adapter is wireshark capturing from?
>>>>
>>>>
>>>> Have a nice day
>>>> GV
>>>>
>>>>
>>>> --------------------------------------------------
>>>> From: "M K" <gedropi@xxxxxxxxx>
>>>> Sent: Wednesday, March 24, 2010 8:12 AM
>>>> To: <wireshark-users@xxxxxxxxxxxxx>
>>>> Subject: [Wireshark-users] from the past
>>>>
>>>>> Jeff Morriss suggested that I pose this question to you folks.
>>>>>
>>>>> Here is what I wrote:
>>>>> First:
>>>>> I first log onto Windows machine
>>>>> I log onto my Isp
>>>>> I log into my proxy
>>>>> Maybe do a few things online (eg. go to a few websites)
>>>>> Then log into Wireshark
>>>>>
>>>>> Next:
>>>>> When launching WS, immediately the capture starts a DNS authentication
>>>>> trace
>>>>> and an etherXXXXa* file with Windows & ISP usernames AND passwords is
>>>>> created.
>>>>> Since I expect WS to be literal, I would expect that those actions
>>>>> that
>>>>> had
>>>>> taken place in the past (logons & DNS authentication) would not be
>>>>> captured
>>>>> since WS had not been started when I logged on.  That means that this
>>>>> information is being cached or worse somewhere.  For my peace of mind,
>>>>> please
>>>>> can you tell me about this security issue?  Thank you.
>>>>> ......................
>>>>>
>>>>> Here is what Jeff wrote:
>>>>> Anyway, a brief answer: Wireshark on Windows relies on WinPCAP to do
>>>>> the
>>>>> capturing.  I'm pretty sure WinPCAP won't start capturing until you
>>>>> ask
>>>>> it
>>>>>
>>>>> to
>>>>> do so.  And I'm pretty sure that the OS's TCP/IP stack isn't going to
>>>>> cache
>>>>> stuff to give to WinPCAP after the fact.
>>>>>
>>>>> (BTW, the etherXXX file is just the temporary PCAP file that contains
>>>>> the
>>>>> packets that were captured--and what Wireshark displays for you.  The
>>>>> fact
>>>>>
>>>>> that
>>>>> your password, etc., are in there just indicate that your password,
>>>>> etc.,
>>>>> were
>>>>> sent over the wire unencrypted.)
>>>>> ..............
>>>>> What Jeff described is what I expected but I believe that I understand
>>>>> now what I am seeing.  WS does its own DNS.  So, that explains the
>>>>> first question.
>>>>>
>>>>> The second issue, however, is still a big concern.  The etherXXXXa
>>>>> file always contains the complete (passwords included) authentication
>>>>> data plus more.  Again, this unsaved (by me) login information was
>>>>> sent over the wire in the past (PPP PAP), yet it is being saved (by ?)
>>>>> and put into this file in the present. How can I prevent this login
>>>>> info from being saved?  How can I encrypt this login info? This is a
>>>>> security risk.
>>>>>
>>>>>
>>>>> --
>>>>> All that is necessary for evil to succeed is that good men do nothing.
>>>>>
>>>>>              ~Edmund Burke
>>>>> ___________________________________________________________________________
>>>>> Sent via:    Wireshark-users mailing list
>>>>> <wireshark-users@xxxxxxxxxxxxx>
>>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>>
>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>>
>>>> ___________________________________________________________________________
>>>> Sent via:    Wireshark-users mailing list
>>>> <wireshark-users@xxxxxxxxxxxxx>
>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>
>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>>
>>>
>>>
>>> --
>>> All that is necessary for evil to succeed is that good men do nothing.
>>>
>>>              ~Edmund Burke
>>> ___________________________________________________________________________
>>> Sent via:    Wireshark-users mailing list
>>> <wireshark-users@xxxxxxxxxxxxx>
>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>
>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>
>> ___________________________________________________________________________
>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>> Archives:    http://www.wireshark.org/lists/wireshark-users
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>
>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>
>
>
> --
> All that is necessary for evil to succeed is that good men do nothing.
>
>              ~Edmund Burke
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe



------------------------------

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users


End of Wireshark-users Digest, Vol 46, Issue 42
***********************************************