Ethereal-users: Re: [Ethereal-users] (no subject)

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 3 Apr 2003 00:36:49 -0800
On Thu, Apr 03, 2003 at 12:50:57AM -0600, Talot12 wrote:
> I went to the services and noticed an unfamiliar service running.  The
> name of the service was remote packet capture protocol V.0
> (experimental).  The path to the executable was program
> files\winpcap\rpcapd.exe -d -f rpcapd.ini.

If somebody installed WinPcap 3.0 beta on that machine, that might cause
its remote packet capture service to run - the "News" page on the
WinPcap site:

	http://winpcap.polito.it/news.htm

says:

	10 February, 2003 
	     The beta of WinPcap 3.0 is available from today in the download
	     section.  The main improvements of this release are:
	     - experimental support for SMP machines 
	     - kernel buffering rewritten from scratch 
	     - experimental support for remote capture. 

> My question is based on this information should I continue to pursue
> this app as the culprit

I have no idea whether it could cause those symptoms.  You should ask
the WinPcap developers:

	http://winpcap.polito.it/contact.htm

about that.

> or is it possible that someone used the software maliciously?

I suspect that service couldn't be used maliciously to do all those
things, but, again, you should ask the WinPcap developers about that.