Wireshark-users: Re: [Wireshark-users] from the past
From: M K <gedropi@xxxxxxxxx>
Date: Wed, 24 Mar 2010 12:38:55 -0800
Nothing looks odd within the WS capture itself. Just your basic LLC & PPP LCP from my vantage point (my machine -inside the LAN gateway). That is probably the point. If I had visibility to the bigger picture and what is actually happening on the routers and switches in the WAN, I would probably have an AHAH moment. In the tmp file, one sees a lot of hex. And yes, I expect that WS is just taking what it is given. On 3/24/10, bart sikkes <b.sikkes@xxxxxxxxx> wrote: > hi, > > can you show us the capture? a screenshot with the actual username / > password removed or such? > > i expect it just being a reauthentication action or something like > that. wireshark just captures what is transmitted so something is > transmitting this at the moment of capturing. a lot more happens below > the surface then one initially suspects (and many things will be send > plain text). the fact it ends up in the file is because that is how > wireshark usually works. > > good luck finding it, > bart > > On Wed, Mar 24, 2010 at 8:58 PM, Gianluca Varenni > <gianluca.varenni@xxxxxxxxxxxx> wrote: >> >> >> -------------------------------------------------- >> From: "M K" <gedropi@xxxxxxxxx> >> Sent: Wednesday, March 24, 2010 12:45 PM >> To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx> >> Subject: Re: [Wireshark-users] from the past >> >>> Sorry. I got called away. >>> >>> The etherXXXX tmp file doesn't appear to have timestamps. But within >> >> If it's a valid capture file, the packets must have a timestamp, if you >> open >> the file with wireshark. >> >> GV >> >> >>> WS, the LLC (Layer 2) & PPP LCP protocols are the first protocols to >>> show up in the trace at the time the login info is captured inside the >>> tmp file. >>> >>> I suspect that this info is being passed to the tmp file. Possible >>> suspects: the OS or networking appliances. >>> >>> Yes, the interface is: Adapter for generic dialup and VPN >>> >>> And thanks for this feedback and help. >>> >>> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote: >>>> You didn't answer my questions: >>>> >>>> 1. what is the timestamp of those packets? >>>> 2. what interface are you capturing from? >>>> >>>> Are capturing from what is called "Adapter for generic dialup and VPN >>>> capture"? >>>> >>>> Have a nice day >>>> GV >>>> >>>> >>>> >>>> -------------------------------------------------- >>>> From: "M K" <gedropi@xxxxxxxxx> >>>> Sent: Wednesday, March 24, 2010 9:25 AM >>>> To: "Community support list for Wireshark" >>>> <wireshark-users@xxxxxxxxxxxxx> >>>> Subject: Re: [Wireshark-users] from the past >>>> >>>>> That is exactly what I am doing. I log onto my Windows machine, then >>>>> my ISP, then my proxy. Then maybe go to a few websites, for example. >>>>> Then maybe after a half hour, I may then start up a WS capture. >>>>> Still, even after all that time between logons and actually starting a >>>>> capture, the etherXXXXa tmp file still contains this private info. >>>>> >>>>> According to Jeff, the etherXXXXa file only captures what is not >>>>> encrypted. That makes this even more scary. That means that not only >>>>> is the info being captured but it isn't even being protected by even >>>>> low-grade encryption. >>>>> >>>>> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote: >>>>>> >>>>>> >>>>>> -------------------------------------------------- >>>>>> From: "M K" <gedropi@xxxxxxxxx> >>>>>> Sent: Wednesday, March 24, 2010 9:11 AM >>>>>> To: "Community support list for Wireshark" >>>>>> <wireshark-users@xxxxxxxxxxxxx> >>>>>> Subject: Re: [Wireshark-users] from the past >>>>>> >>>>>>> That is the question. I am saying that some program (?) is capturing >>>>>>> my unsaved login info. Then at a later point, when I start a WS >>>>>>> capture, that login info from the past is put into that EtherxXXXXa >>>>>>> tmp file. >>>>>> >>>>>> What happens if you log into your ISP and proxy, wait let's say 5 >>>>>> minutes >>>>>> and then start wireshark? Do those packets still show up? what is >>>>>> their >>>>>> tiemstamp? >>>>>> >>>>>> GV >>>>>> >>>>>>> >>>>>>> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote: >>>>>>>> Are you saying that when you start Wireshark, wireshark itself >>>>>>>> starts >>>>>>>> capturing, *before* you click the start capture button on it? >>>>>>>> Which adapter is wireshark capturing from? >>>>>>>> >>>>>>>> >>>>>>>> Have a nice day >>>>>>>> GV >>>>>>>> >>>>>>>> >>>>>>>> -------------------------------------------------- >>>>>>>> From: "M K" <gedropi@xxxxxxxxx> >>>>>>>> Sent: Wednesday, March 24, 2010 8:12 AM >>>>>>>> To: <wireshark-users@xxxxxxxxxxxxx> >>>>>>>> Subject: [Wireshark-users] from the past >>>>>>>> >>>>>>>>> Jeff Morriss suggested that I pose this question to you folks. >>>>>>>>> >>>>>>>>> Here is what I wrote: >>>>>>>>> First: >>>>>>>>> I first log onto Windows machine >>>>>>>>> I log onto my Isp >>>>>>>>> I log into my proxy >>>>>>>>> Maybe do a few things online (eg. go to a few websites) >>>>>>>>> Then log into Wireshark >>>>>>>>> >>>>>>>>> Next: >>>>>>>>> When launching WS, immediately the capture starts a DNS >>>>>>>>> authentication >>>>>>>>> trace >>>>>>>>> and an etherXXXXa* file with Windows & ISP usernames AND passwords >>>>>>>>> is >>>>>>>>> created. >>>>>>>>> Since I expect WS to be literal, I would expect that those actions >>>>>>>>> that >>>>>>>>> had >>>>>>>>> taken place in the past (logons & DNS authentication) would not be >>>>>>>>> captured >>>>>>>>> since WS had not been started when I logged on. That means that >>>>>>>>> this >>>>>>>>> information is being cached or worse somewhere. For my peace of >>>>>>>>> mind, >>>>>>>>> please >>>>>>>>> can you tell me about this security issue? Thank you. >>>>>>>>> ...................... >>>>>>>>> >>>>>>>>> Here is what Jeff wrote: >>>>>>>>> Anyway, a brief answer: Wireshark on Windows relies on WinPCAP to >>>>>>>>> do >>>>>>>>> the >>>>>>>>> capturing. I'm pretty sure WinPCAP won't start capturing until you >>>>>>>>> ask >>>>>>>>> it >>>>>>>>> >>>>>>>>> to >>>>>>>>> do so. And I'm pretty sure that the OS's TCP/IP stack isn't going >>>>>>>>> to >>>>>>>>> cache >>>>>>>>> stuff to give to WinPCAP after the fact. >>>>>>>>> >>>>>>>>> (BTW, the etherXXX file is just the temporary PCAP file that >>>>>>>>> contains >>>>>>>>> the >>>>>>>>> packets that were captured--and what Wireshark displays for you. >>>>>>>>> The >>>>>>>>> fact >>>>>>>>> >>>>>>>>> that >>>>>>>>> your password, etc., are in there just indicate that your password, >>>>>>>>> etc., >>>>>>>>> were >>>>>>>>> sent over the wire unencrypted.) >>>>>>>>> .............. >>>>>>>>> What Jeff described is what I expected but I believe that I >>>>>>>>> understand >>>>>>>>> now what I am seeing. WS does its own DNS. So, that explains the >>>>>>>>> first question. >>>>>>>>> >>>>>>>>> The second issue, however, is still a big concern. The etherXXXXa >>>>>>>>> file always contains the complete (passwords included) >>>>>>>>> authentication >>>>>>>>> data plus more. Again, this unsaved (by me) login information was >>>>>>>>> sent over the wire in the past (PPP PAP), yet it is being saved (by >>>>>>>>> ?) >>>>>>>>> and put into this file in the present. How can I prevent this login >>>>>>>>> info from being saved? How can I encrypt this login info? This is >>>>>>>>> a >>>>>>>>> security risk. >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> All that is necessary for evil to succeed is that good men do >>>>>>>>> nothing. >>>>>>>>> >>>>>>>>> ~Edmund Burke >>>>>>>>> ___________________________________________________________________________ >>>>>>>>> Sent via: Wireshark-users mailing list >>>>>>>>> <wireshark-users@xxxxxxxxxxxxx> >>>>>>>>> Archives: http://www.wireshark.org/lists/wireshark-users >>>>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >>>>>>>>> >>>>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >>>>>>>> >>>>>>>> ___________________________________________________________________________ >>>>>>>> Sent via: Wireshark-users mailing list >>>>>>>> <wireshark-users@xxxxxxxxxxxxx> >>>>>>>> Archives: http://www.wireshark.org/lists/wireshark-users >>>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >>>>>>>> >>>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> All that is necessary for evil to succeed is that good men do >>>>>>> nothing. >>>>>>> >>>>>>> ~Edmund Burke >>>>>>> ___________________________________________________________________________ >>>>>>> Sent via: Wireshark-users mailing list >>>>>>> <wireshark-users@xxxxxxxxxxxxx> >>>>>>> Archives: http://www.wireshark.org/lists/wireshark-users >>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >>>>>>> >>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >>>>>> >>>>>> ___________________________________________________________________________ >>>>>> Sent via: Wireshark-users mailing list >>>>>> <wireshark-users@xxxxxxxxxxxxx> >>>>>> Archives: http://www.wireshark.org/lists/wireshark-users >>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >>>>>> >>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >>>>>> >>>>> >>>>> >>>>> -- >>>>> All that is necessary for evil to succeed is that good men do nothing. >>>>> >>>>> ~Edmund Burke >>>>> ___________________________________________________________________________ >>>>> Sent via: Wireshark-users mailing list >>>>> <wireshark-users@xxxxxxxxxxxxx> >>>>> Archives: http://www.wireshark.org/lists/wireshark-users >>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >>>>> >>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >>>> >>>> ___________________________________________________________________________ >>>> Sent via: Wireshark-users mailing list >>>> <wireshark-users@xxxxxxxxxxxxx> >>>> Archives: http://www.wireshark.org/lists/wireshark-users >>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >>>> >>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >>>> >>> >>> >>> -- >>> All that is necessary for evil to succeed is that good men do nothing. >>> >>> ~Edmund Burke >>> ___________________________________________________________________________ >>> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> >>> Archives: http://www.wireshark.org/lists/wireshark-users >>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >>> >>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >> >> ___________________________________________________________________________ >> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> >> Archives: http://www.wireshark.org/lists/wireshark-users >> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >> >> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >> > ___________________________________________________________________________ > Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> > Archives: http://www.wireshark.org/lists/wireshark-users > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users > > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe > -- All that is necessary for evil to succeed is that good men do nothing. ~Edmund Burke
- References:
- [Wireshark-users] from the past
- From: M K
- Re: [Wireshark-users] from the past
- From: Gianluca Varenni
- Re: [Wireshark-users] from the past
- From: M K
- Re: [Wireshark-users] from the past
- From: Gianluca Varenni
- Re: [Wireshark-users] from the past
- From: M K
- Re: [Wireshark-users] from the past
- From: Gianluca Varenni
- Re: [Wireshark-users] from the past
- From: M K
- Re: [Wireshark-users] from the past
- From: Gianluca Varenni
- Re: [Wireshark-users] from the past
- From: bart sikkes
- [Wireshark-users] from the past
- Prev by Date: Re: [Wireshark-users] from the past
- Next by Date: Re: [Wireshark-users] from the past
- Previous by thread: Re: [Wireshark-users] from the past
- Next by thread: Re: [Wireshark-users] from the past
- Index(es):