Wireshark-users: Re: [Wireshark-users] from the past

From: "Gianluca Varenni" <gianluca.varenni@xxxxxxxxxxxx>
Date: Wed, 24 Mar 2010 09:16:36 -0700


--------------------------------------------------
From: "M K" <gedropi@xxxxxxxxx>
Sent: Wednesday, March 24, 2010 9:11 AM
To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] from the past

That is the question.  I am saying that some program (?) is capturing
my unsaved login info.  Then at a later point, when I start a WS
capture, that login info from the past is put into that EtherxXXXXa
tmp file.

What happens if you log into your ISP and proxy, wait let's say 5 minutes and then start wireshark? Do those packets still show up? what is their tiemstamp?

GV


On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote:
Are you saying that when you start Wireshark, wireshark itself starts
capturing, *before* you click the start capture button on it?
Which adapter is wireshark capturing from?


Have a nice day
GV


--------------------------------------------------
From: "M K" <gedropi@xxxxxxxxx>
Sent: Wednesday, March 24, 2010 8:12 AM
To: <wireshark-users@xxxxxxxxxxxxx>
Subject: [Wireshark-users] from the past

Jeff Morriss suggested that I pose this question to you folks.

Here is what I wrote:
First:
I first log onto Windows machine
I log onto my Isp
I log into my proxy
Maybe do a few things online (eg. go to a few websites)
Then log into Wireshark

Next:
When launching WS, immediately the capture starts a DNS authentication
trace
and an etherXXXXa* file with Windows & ISP usernames AND passwords is
created.
Since I expect WS to be literal, I would expect that those actions that
had
taken place in the past (logons & DNS authentication) would not be
captured
since WS had not been started when I logged on.  That means that this
information is being cached or worse somewhere.  For my peace of mind,
please
can you tell me about this security issue?  Thank you.
......................

Here is what Jeff wrote:
Anyway, a brief answer: Wireshark on Windows relies on WinPCAP to do the
capturing. I'm pretty sure WinPCAP won't start capturing until you ask it

to
do so.  And I'm pretty sure that the OS's TCP/IP stack isn't going to
cache
stuff to give to WinPCAP after the fact.

(BTW, the etherXXX file is just the temporary PCAP file that contains the packets that were captured--and what Wireshark displays for you. The fact

that
your password, etc., are in there just indicate that your password, etc.,
were
sent over the wire unencrypted.)
..............
What Jeff described is what I expected but I believe that I understand
now what I am seeing.  WS does its own DNS.  So, that explains the
first question.

The second issue, however, is still a big concern.  The etherXXXXa
file always contains the complete (passwords included) authentication
data plus more.  Again, this unsaved (by me) login information was
sent over the wire in the past (PPP PAP), yet it is being saved (by ?)
and put into this file in the present. How can I prevent this login
info from being saved?  How can I encrypt this login info? This is a
security risk.


--
All that is necessary for evil to succeed is that good men do nothing.

             ~Edmund Burke
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe



--
All that is necessary for evil to succeed is that good men do nothing.

             ~Edmund Burke
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe