Wireshark-users: Re: [Wireshark-users] from the past

From: M K <gedropi@xxxxxxxxx>
Date: Wed, 24 Mar 2010 08:11:40 -0800
That is the question.  I am saying that some program (?) is capturing
my unsaved login info.  Then at a later point, when I start a WS
capture, that login info from the past is put into that EtherxXXXXa
tmp file.

On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote:
> Are you saying that when you start Wireshark, wireshark itself starts
> capturing, *before* you click the start capture button on it?
> Which adapter is wireshark capturing from?
>
>
> Have a nice day
> GV
>
>
> --------------------------------------------------
> From: "M K" <gedropi@xxxxxxxxx>
> Sent: Wednesday, March 24, 2010 8:12 AM
> To: <wireshark-users@xxxxxxxxxxxxx>
> Subject: [Wireshark-users] from the past
>
>> Jeff Morriss suggested that I pose this question to you folks.
>>
>> Here is what I wrote:
>> First:
>> I first log onto Windows machine
>> I log onto my Isp
>> I log into my proxy
>> Maybe do a few things online (eg. go to a few websites)
>> Then log into Wireshark
>>
>> Next:
>> When launching WS, immediately the capture starts a DNS authentication
>> trace
>> and an etherXXXXa* file with Windows & ISP usernames AND passwords is
>> created.
>> Since I expect WS to be literal, I would expect that those actions that
>> had
>> taken place in the past (logons & DNS authentication) would not be
>> captured
>> since WS had not been started when I logged on.  That means that this
>> information is being cached or worse somewhere.  For my peace of mind,
>> please
>> can you tell me about this security issue?  Thank you.
>> ......................
>>
>> Here is what Jeff wrote:
>> Anyway, a brief answer: Wireshark on Windows relies on WinPCAP to do the
>> capturing.  I'm pretty sure WinPCAP won't start capturing until you ask it
>>
>> to
>> do so.  And I'm pretty sure that the OS's TCP/IP stack isn't going to
>> cache
>> stuff to give to WinPCAP after the fact.
>>
>> (BTW, the etherXXX file is just the temporary PCAP file that contains the
>> packets that were captured--and what Wireshark displays for you.  The fact
>>
>> that
>> your password, etc., are in there just indicate that your password, etc.,
>> were
>> sent over the wire unencrypted.)
>> ..............
>> What Jeff described is what I expected but I believe that I understand
>> now what I am seeing.  WS does its own DNS.  So, that explains the
>> first question.
>>
>> The second issue, however, is still a big concern.  The etherXXXXa
>> file always contains the complete (passwords included) authentication
>> data plus more.  Again, this unsaved (by me) login information was
>> sent over the wire in the past (PPP PAP), yet it is being saved (by ?)
>> and put into this file in the present. How can I prevent this login
>> info from being saved?  How can I encrypt this login info? This is a
>> security risk.
>>
>>
>> --
>> All that is necessary for evil to succeed is that good men do nothing.
>>
>>              ~Edmund Burke
>> ___________________________________________________________________________
>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>> Archives:    http://www.wireshark.org/lists/wireshark-users
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>
>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>


-- 
All that is necessary for evil to succeed is that good men do nothing.

              ~Edmund Burke