I was able to stop the capture within WS, then I went to the Temp folder
and within my hex editor was able to Save as. Of course, pcap was not
offered as an extension but I typed it in anyway. Sure enough, it
took. Then I went back to WS and opened that etherXXXXa####.pcap
file. Basically, with its new extension, it looks identical to the
original WS capture. I will now try to obtain a capture with the
password captured to see if I get any closer to determining who is
pulling this info.
Thanks
On 3/24/10, Guy Harris <guy@xxxxxxxxxxxx> wrote:
>
> On Mar 24, 2010, at 1:29 PM, M K wrote:
>
>> The WS capture file does have time stamps. The etherXXXXa file lives
>> at: \Documents and Settings\Administrator\Local Settings\Temp within
>> Windows. This tmp file does not appear to have obvious timestamps.
>
> The etherXXXXa is almost certainly a Wireshark capture file; that file name
> ("ether" dates back to when it was called Ethereal rather than Wireshark) is
> the type of file name Wireshark uses when capturing - when it's capturing,
> it writes the packets to a temporary file, in pcap format.
>
> Try opening it in Wireshark.
>
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>
--
All that is necessary for evil to succeed is that good men do nothing.
~Edmund Burke