Wireshark-users: Re: [Wireshark-users] from the past

From: M K <gedropi@xxxxxxxxx>
Date: Wed, 24 Mar 2010 12:48:50 -0800
The etherXXXX file is only a tmp file written in hex.  I believe that
it would be impossible to open within WS because the only time the
ethernet file exists is when you are already in the middle of a
capture.  And it vanishes when you stop the capture or shut down WS, I
believe.  Opening another file while performing a capture is not
enabled.  Unless if you had multiple instances of WS perhaps.

On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote:
>
>
> --------------------------------------------------
> From: "M K" <gedropi@xxxxxxxxx>
> Sent: Wednesday, March 24, 2010 1:29 PM
> To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
> Subject: Re: [Wireshark-users] from the past
>
>> The WS  capture file does have time stamps.  The etherXXXXa file lives
>> at:  \Documents and Settings\Administrator\Local Settings\Temp within
>> Windows.  This tmp file does not appear to have obvious timestamps.
>> Machine name, Administrator User name, packet source/dest and at
>> times, also the passwords to Windows and ISP.
>
> Wait... is this a pcap file or not? Can you open it with wireshark?
>
> Have a nice day
> GV
>
>
>>
>> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote:
>>>
>>>
>>> --------------------------------------------------
>>> From: "M K" <gedropi@xxxxxxxxx>
>>> Sent: Wednesday, March 24, 2010 12:45 PM
>>> To: "Community support list for Wireshark"
>>> <wireshark-users@xxxxxxxxxxxxx>
>>> Subject: Re: [Wireshark-users] from the past
>>>
>>>> Sorry.  I got called away.
>>>>
>>>> The etherXXXX tmp file doesn't appear to have timestamps.  But within
>>>
>>> If it's a valid capture file, the packets must have a timestamp, if you
>>> open
>>> the file with wireshark.
>>>
>>> GV
>>>
>>>
>>>> WS, the LLC (Layer 2) & PPP LCP protocols are the first protocols to
>>>> show up in the trace at the time the login info is captured inside the
>>>> tmp file.
>>>>
>>>> I suspect that this info is being passed to the tmp file.  Possible
>>>> suspects: the OS or networking appliances.
>>>>
>>>> Yes, the interface is:  Adapter for generic dialup and VPN
>>>>
>>>> And thanks for this feedback and help.
>>>>
>>>> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote:
>>>>> You didn't answer my questions:
>>>>>
>>>>> 1. what is the timestamp of those packets?
>>>>> 2. what interface are you capturing from?
>>>>>
>>>>> Are capturing from what is called "Adapter for generic dialup and VPN
>>>>> capture"?
>>>>>
>>>>> Have a nice day
>>>>> GV
>>>>>
>>>>>
>>>>>
>>>>> --------------------------------------------------
>>>>> From: "M K" <gedropi@xxxxxxxxx>
>>>>> Sent: Wednesday, March 24, 2010 9:25 AM
>>>>> To: "Community support list for Wireshark"
>>>>> <wireshark-users@xxxxxxxxxxxxx>
>>>>> Subject: Re: [Wireshark-users] from the past
>>>>>
>>>>>> That is exactly what I am doing.  I log onto my Windows machine, then
>>>>>> my ISP, then my proxy.  Then maybe go to a few websites, for example.
>>>>>> Then maybe after a half hour, I may then start up a WS capture.
>>>>>> Still, even after all that time between logons and actually starting a
>>>>>> capture, the etherXXXXa tmp file still contains this private info.
>>>>>>
>>>>>> According to Jeff, the etherXXXXa file only captures what is not
>>>>>> encrypted.  That makes this even more scary.  That means that not only
>>>>>> is the info being captured but it isn't even being protected by even
>>>>>> low-grade encryption.
>>>>>>
>>>>>> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote:
>>>>>>>
>>>>>>>
>>>>>>> --------------------------------------------------
>>>>>>> From: "M K" <gedropi@xxxxxxxxx>
>>>>>>> Sent: Wednesday, March 24, 2010 9:11 AM
>>>>>>> To: "Community support list for Wireshark"
>>>>>>> <wireshark-users@xxxxxxxxxxxxx>
>>>>>>> Subject: Re: [Wireshark-users] from the past
>>>>>>>
>>>>>>>> That is the question.  I am saying that some program (?) is
>>>>>>>> capturing
>>>>>>>> my unsaved login info.  Then at a later point, when I start a WS
>>>>>>>> capture, that login info from the past is put into that EtherxXXXXa
>>>>>>>> tmp file.
>>>>>>>
>>>>>>> What happens if you log into your ISP and proxy, wait let's say 5
>>>>>>> minutes
>>>>>>> and then start wireshark? Do those packets still show up? what is
>>>>>>> their
>>>>>>> tiemstamp?
>>>>>>>
>>>>>>> GV
>>>>>>>
>>>>>>>>
>>>>>>>> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote:
>>>>>>>>> Are you saying that when you start Wireshark, wireshark itself
>>>>>>>>> starts
>>>>>>>>> capturing, *before* you click the start capture button on it?
>>>>>>>>> Which adapter is wireshark capturing from?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Have a nice day
>>>>>>>>> GV
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --------------------------------------------------
>>>>>>>>> From: "M K" <gedropi@xxxxxxxxx>
>>>>>>>>> Sent: Wednesday, March 24, 2010 8:12 AM
>>>>>>>>> To: <wireshark-users@xxxxxxxxxxxxx>
>>>>>>>>> Subject: [Wireshark-users] from the past
>>>>>>>>>
>>>>>>>>>> Jeff Morriss suggested that I pose this question to you folks.
>>>>>>>>>>
>>>>>>>>>> Here is what I wrote:
>>>>>>>>>> First:
>>>>>>>>>> I first log onto Windows machine
>>>>>>>>>> I log onto my Isp
>>>>>>>>>> I log into my proxy
>>>>>>>>>> Maybe do a few things online (eg. go to a few websites)
>>>>>>>>>> Then log into Wireshark
>>>>>>>>>>
>>>>>>>>>> Next:
>>>>>>>>>> When launching WS, immediately the capture starts a DNS
>>>>>>>>>> authentication
>>>>>>>>>> trace
>>>>>>>>>> and an etherXXXXa* file with Windows & ISP usernames AND passwords
>>>>>>>>>> is
>>>>>>>>>> created.
>>>>>>>>>> Since I expect WS to be literal, I would expect that those actions
>>>>>>>>>> that
>>>>>>>>>> had
>>>>>>>>>> taken place in the past (logons & DNS authentication) would not be
>>>>>>>>>> captured
>>>>>>>>>> since WS had not been started when I logged on.  That means that
>>>>>>>>>> this
>>>>>>>>>> information is being cached or worse somewhere.  For my peace of
>>>>>>>>>> mind,
>>>>>>>>>> please
>>>>>>>>>> can you tell me about this security issue?  Thank you.
>>>>>>>>>> ......................
>>>>>>>>>>
>>>>>>>>>> Here is what Jeff wrote:
>>>>>>>>>> Anyway, a brief answer: Wireshark on Windows relies on WinPCAP to
>>>>>>>>>> do
>>>>>>>>>> the
>>>>>>>>>> capturing.  I'm pretty sure WinPCAP won't start capturing until
>>>>>>>>>> you
>>>>>>>>>> ask
>>>>>>>>>> it
>>>>>>>>>>
>>>>>>>>>> to
>>>>>>>>>> do so.  And I'm pretty sure that the OS's TCP/IP stack isn't going
>>>>>>>>>> to
>>>>>>>>>> cache
>>>>>>>>>> stuff to give to WinPCAP after the fact.
>>>>>>>>>>
>>>>>>>>>> (BTW, the etherXXX file is just the temporary PCAP file that
>>>>>>>>>> contains
>>>>>>>>>> the
>>>>>>>>>> packets that were captured--and what Wireshark displays for you.
>>>>>>>>>> The
>>>>>>>>>> fact
>>>>>>>>>>
>>>>>>>>>> that
>>>>>>>>>> your password, etc., are in there just indicate that your
>>>>>>>>>> password,
>>>>>>>>>> etc.,
>>>>>>>>>> were
>>>>>>>>>> sent over the wire unencrypted.)
>>>>>>>>>> ..............
>>>>>>>>>> What Jeff described is what I expected but I believe that I
>>>>>>>>>> understand
>>>>>>>>>> now what I am seeing.  WS does its own DNS.  So, that explains the
>>>>>>>>>> first question.
>>>>>>>>>>
>>>>>>>>>> The second issue, however, is still a big concern.  The etherXXXXa
>>>>>>>>>> file always contains the complete (passwords included)
>>>>>>>>>> authentication
>>>>>>>>>> data plus more.  Again, this unsaved (by me) login information was
>>>>>>>>>> sent over the wire in the past (PPP PAP), yet it is being saved
>>>>>>>>>> (by
>>>>>>>>>> ?)
>>>>>>>>>> and put into this file in the present. How can I prevent this
>>>>>>>>>> login
>>>>>>>>>> info from being saved?  How can I encrypt this login info? This is
>>>>>>>>>>
>>>>>>>>>> a
>>>>>>>>>> security risk.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> All that is necessary for evil to succeed is that good men do
>>>>>>>>>> nothing.
>>>>>>>>>>
>>>>>>>>>>              ~Edmund Burke
>>>>>>>>>> ___________________________________________________________________________
>>>>>>>>>> Sent via:    Wireshark-users mailing list
>>>>>>>>>> <wireshark-users@xxxxxxxxxxxxx>
>>>>>>>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>>>>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>>>>>>>
>>>>>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>>>>>>>
>>>>>>>>> ___________________________________________________________________________
>>>>>>>>> Sent via:    Wireshark-users mailing list
>>>>>>>>> <wireshark-users@xxxxxxxxxxxxx>
>>>>>>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>>>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>>>>>>
>>>>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> All that is necessary for evil to succeed is that good men do
>>>>>>>> nothing.
>>>>>>>>
>>>>>>>>              ~Edmund Burke
>>>>>>>> ___________________________________________________________________________
>>>>>>>> Sent via:    Wireshark-users mailing list
>>>>>>>> <wireshark-users@xxxxxxxxxxxxx>
>>>>>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>>>>>
>>>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>>>>>
>>>>>>> ___________________________________________________________________________
>>>>>>> Sent via:    Wireshark-users mailing list
>>>>>>> <wireshark-users@xxxxxxxxxxxxx>
>>>>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>>>>
>>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> All that is necessary for evil to succeed is that good men do nothing.
>>>>>>
>>>>>>              ~Edmund Burke
>>>>>> ___________________________________________________________________________
>>>>>> Sent via:    Wireshark-users mailing list
>>>>>> <wireshark-users@xxxxxxxxxxxxx>
>>>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>>>
>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>>>
>>>>> ___________________________________________________________________________
>>>>> Sent via:    Wireshark-users mailing list
>>>>> <wireshark-users@xxxxxxxxxxxxx>
>>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>>
>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>>>
>>>>
>>>>
>>>> --
>>>> All that is necessary for evil to succeed is that good men do nothing.
>>>>
>>>>              ~Edmund Burke
>>>> ___________________________________________________________________________
>>>> Sent via:    Wireshark-users mailing list
>>>> <wireshark-users@xxxxxxxxxxxxx>
>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>
>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>
>>> ___________________________________________________________________________
>>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>
>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>
>>
>>
>> --
>> All that is necessary for evil to succeed is that good men do nothing.
>>
>>              ~Edmund Burke
>> ___________________________________________________________________________
>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>> Archives:    http://www.wireshark.org/lists/wireshark-users
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>
>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>


-- 
All that is necessary for evil to succeed is that good men do nothing.

              ~Edmund Burke