Wireshark-users: Re: [Wireshark-users] from the past

From: bart sikkes <b.sikkes@xxxxxxxxx>
Date: Thu, 25 Mar 2010 09:24:41 +0100
I think M K is convinced by now that he isn't capturing from the past
and where the magical file comes from. as for the who is sending this
information, like stated before show us the capture, remove the login
/ username and just show it. without the exact info it is hard to help
you.

greetings,
bart

On Thu, Mar 25, 2010 at 7:58 AM, Abhik Sarkar <sarkar.abhik@xxxxxxxxx> wrote:
> Just shooting in the dark because I have never tried this myself, but
> wouldn't this be the expected behavior if the option "Start WinPcap service
> "NPF" at startup" was selected at the time of installation?
>
> On Thu, Mar 25, 2010 at 7:08 AM, Martin Visser <martinvisser99@xxxxxxxxx>
> wrote:
>>
>> Right at the start of this thread you talked about "DNS Authentication".
>> Is this to do with what you see? DNS doesn't normally have any
>> authentication requirement.
>> If you are seeing DNS packets that contains something that looks like a
>> username or password, I suspect you have a very clever little trojan
>> installed that is sending some nice data off to the bad guys almost covertly
>> via DNS.
>>
>> Regards, Martin
>>
>> MartinVisser99@xxxxxxxxx
>>
>>
>> On Thu, Mar 25, 2010 at 8:29 AM, M K <gedropi@xxxxxxxxx> wrote:
>>>
>>> Closer to #2.  The etherXXXX file is only created when I start a WS
>>> capture.  It is apparent to me now that this tmp file is pretty
>>> identical to the capture inside WS.  OK.  But, I guess this exercise
>>> still brings home the problem of who is (off and on) pulling my
>>> password information, from where and where is it going?  I know this
>>> isn't a WS problem.  WS was only doing its job.
>>>
>>> About the transfer of authentication data, why isn't it encrypted?
>>> What can I do to make this happen?
>>>
>>> It doesn't do a lick of good to harden your computer if your
>>> authentication data is all over the place in clear text.
>>>
>>> Thanks
>>>
>>> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote:
>>> > Now I'm a bit confused (I'm probably missing something here). In your
>>> > original email you said
>>> >
>>> >>>>>>>>>>>> The second issue, however, is still a big concern.  The
>>> >>>>>>>>>>>> etherXXXXa
>>> >>>>>>>>>>>> file always contains the complete (passwords included)
>>> >>>>>>>>>>>> authentication
>>> >>>>>>>>>>>> data plus more.  Again, this unsaved (by me) login
>>> >>>>>>>>>>>> information
>>> >>>>>>>>>>>> was
>>> >>>>>>>>>>>> sent over the wire in the past (PPP PAP), yet it is being
>>> >>>>>>>>>>>> saved
>>> >>>>>>>>>>>> (by
>>> >>>>>>>>>>>> ?)
>>> >>>>>>>>>>>> and put into this file in the present. How can I prevent
>>> >>>>>>>>>>>> this
>>> >>>>>>>>>>>> login
>>> >>>>>>>>>>>> info from being saved?  How can I encrypt this login info?
>>> >>>>>>>>>>>> This
>>> >>>>>>>>>>>> is
>>> >>>>>>>>>>>>
>>> >>>>>>>>>>>> a
>>> >>>>>>>>>>>> security risk.
>>> >
>>> > I don't understand if
>>> >
>>> > 1. the file etherXXXX "magically" appears even when you do not start
>>> > wireshark and you do not start a capture
>>> >
>>> > or
>>> >
>>> > 2. you do open wireshark and start a capture (in this case wireshark
>>> > does
>>> > create an etherXXXX file), and you see packets containing your username
>>> > and
>>> > password (and other sensitive data) that were exchanged with your
>>> > ISP/proxy
>>> > *well before* you started to capture with wireshark.
>>> >
>>> > Which one is the right one?
>>> >
>>> > GV
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > --------------------------------------------------
>>> > From: "M K" <gedropi@xxxxxxxxx>
>>> > Sent: Wednesday, March 24, 2010 1:48 PM
>>> > To: "Community support list for Wireshark"
>>> > <wireshark-users@xxxxxxxxxxxxx>
>>> > Subject: Re: [Wireshark-users] from the past
>>> >
>>> >> The etherXXXX file is only a tmp file written in hex.  I believe that
>>> >> it would be impossible to open within WS because the only time the
>>> >> ethernet file exists is when you are already in the middle of a
>>> >> capture.  And it vanishes when you stop the capture or shut down WS, I
>>> >> believe.  Opening another file while performing a capture is not
>>> >> enabled.  Unless if you had multiple instances of WS perhaps.
>>> >>
>>> >> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote:
>>> >>>
>>> >>>
>>> >>> --------------------------------------------------
>>> >>> From: "M K" <gedropi@xxxxxxxxx>
>>> >>> Sent: Wednesday, March 24, 2010 1:29 PM
>>> >>> To: "Community support list for Wireshark"
>>> >>> <wireshark-users@xxxxxxxxxxxxx>
>>> >>> Subject: Re: [Wireshark-users] from the past
>>> >>>
>>> >>>> The WS  capture file does have time stamps.  The etherXXXXa file
>>> >>>> lives
>>> >>>> at:  \Documents and Settings\Administrator\Local Settings\Temp
>>> >>>> within
>>> >>>> Windows.  This tmp file does not appear to have obvious timestamps.
>>> >>>> Machine name, Administrator User name, packet source/dest and at
>>> >>>> times, also the passwords to Windows and ISP.
>>> >>>
>>> >>> Wait... is this a pcap file or not? Can you open it with wireshark?
>>> >>>
>>> >>> Have a nice day
>>> >>> GV
>>> >>>
>>> >>>
>>> >>>>
>>> >>>> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx> wrote:
>>> >>>>>
>>> >>>>>
>>> >>>>> --------------------------------------------------
>>> >>>>> From: "M K" <gedropi@xxxxxxxxx>
>>> >>>>> Sent: Wednesday, March 24, 2010 12:45 PM
>>> >>>>> To: "Community support list for Wireshark"
>>> >>>>> <wireshark-users@xxxxxxxxxxxxx>
>>> >>>>> Subject: Re: [Wireshark-users] from the past
>>> >>>>>
>>> >>>>>> Sorry.  I got called away.
>>> >>>>>>
>>> >>>>>> The etherXXXX tmp file doesn't appear to have timestamps.  But
>>> >>>>>> within
>>> >>>>>
>>> >>>>> If it's a valid capture file, the packets must have a timestamp, if
>>> >>>>> you
>>> >>>>> open
>>> >>>>> the file with wireshark.
>>> >>>>>
>>> >>>>> GV
>>> >>>>>
>>> >>>>>
>>> >>>>>> WS, the LLC (Layer 2) & PPP LCP protocols are the first protocols
>>> >>>>>> to
>>> >>>>>> show up in the trace at the time the login info is captured inside
>>> >>>>>> the
>>> >>>>>> tmp file.
>>> >>>>>>
>>> >>>>>> I suspect that this info is being passed to the tmp file.
>>> >>>>>>  Possible
>>> >>>>>> suspects: the OS or networking appliances.
>>> >>>>>>
>>> >>>>>> Yes, the interface is:  Adapter for generic dialup and VPN
>>> >>>>>>
>>> >>>>>> And thanks for this feedback and help.
>>> >>>>>>
>>> >>>>>> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx>
>>> >>>>>> wrote:
>>> >>>>>>> You didn't answer my questions:
>>> >>>>>>>
>>> >>>>>>> 1. what is the timestamp of those packets?
>>> >>>>>>> 2. what interface are you capturing from?
>>> >>>>>>>
>>> >>>>>>> Are capturing from what is called "Adapter for generic dialup and
>>> >>>>>>> VPN
>>> >>>>>>> capture"?
>>> >>>>>>>
>>> >>>>>>> Have a nice day
>>> >>>>>>> GV
>>> >>>>>>>
>>> >>>>>>>
>>> >>>>>>>
>>> >>>>>>> --------------------------------------------------
>>> >>>>>>> From: "M K" <gedropi@xxxxxxxxx>
>>> >>>>>>> Sent: Wednesday, March 24, 2010 9:25 AM
>>> >>>>>>> To: "Community support list for Wireshark"
>>> >>>>>>> <wireshark-users@xxxxxxxxxxxxx>
>>> >>>>>>> Subject: Re: [Wireshark-users] from the past
>>> >>>>>>>
>>> >>>>>>>> That is exactly what I am doing.  I log onto my Windows machine,
>>> >>>>>>>> then
>>> >>>>>>>> my ISP, then my proxy.  Then maybe go to a few websites, for
>>> >>>>>>>> example.
>>> >>>>>>>> Then maybe after a half hour, I may then start up a WS capture.
>>> >>>>>>>> Still, even after all that time between logons and actually
>>> >>>>>>>> starting
>>> >>>>>>>>
>>> >>>>>>>> a
>>> >>>>>>>> capture, the etherXXXXa tmp file still contains this private
>>> >>>>>>>> info.
>>> >>>>>>>>
>>> >>>>>>>> According to Jeff, the etherXXXXa file only captures what is not
>>> >>>>>>>> encrypted.  That makes this even more scary.  That means that
>>> >>>>>>>> not
>>> >>>>>>>> only
>>> >>>>>>>> is the info being captured but it isn't even being protected by
>>> >>>>>>>> even
>>> >>>>>>>> low-grade encryption.
>>> >>>>>>>>
>>> >>>>>>>> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx>
>>> >>>>>>>> wrote:
>>> >>>>>>>>>
>>> >>>>>>>>>
>>> >>>>>>>>> --------------------------------------------------
>>> >>>>>>>>> From: "M K" <gedropi@xxxxxxxxx>
>>> >>>>>>>>> Sent: Wednesday, March 24, 2010 9:11 AM
>>> >>>>>>>>> To: "Community support list for Wireshark"
>>> >>>>>>>>> <wireshark-users@xxxxxxxxxxxxx>
>>> >>>>>>>>> Subject: Re: [Wireshark-users] from the past
>>> >>>>>>>>>
>>> >>>>>>>>>> That is the question.  I am saying that some program (?) is
>>> >>>>>>>>>> capturing
>>> >>>>>>>>>> my unsaved login info.  Then at a later point, when I start a
>>> >>>>>>>>>> WS
>>> >>>>>>>>>> capture, that login info from the past is put into that
>>> >>>>>>>>>> EtherxXXXXa
>>> >>>>>>>>>> tmp file.
>>> >>>>>>>>>
>>> >>>>>>>>> What happens if you log into your ISP and proxy, wait let's say
>>> >>>>>>>>> 5
>>> >>>>>>>>> minutes
>>> >>>>>>>>> and then start wireshark? Do those packets still show up? what
>>> >>>>>>>>> is
>>> >>>>>>>>> their
>>> >>>>>>>>> tiemstamp?
>>> >>>>>>>>>
>>> >>>>>>>>> GV
>>> >>>>>>>>>
>>> >>>>>>>>>>
>>> >>>>>>>>>> On 3/24/10, Gianluca Varenni <gianluca.varenni@xxxxxxxxxxxx>
>>> >>>>>>>>>> wrote:
>>> >>>>>>>>>>> Are you saying that when you start Wireshark, wireshark
>>> >>>>>>>>>>> itself
>>> >>>>>>>>>>> starts
>>> >>>>>>>>>>> capturing, *before* you click the start capture button on it?
>>> >>>>>>>>>>> Which adapter is wireshark capturing from?
>>> >>>>>>>>>>>
>>> >>>>>>>>>>>
>>> >>>>>>>>>>> Have a nice day
>>> >>>>>>>>>>> GV
>>> >>>>>>>>>>>
>>> >>>>>>>>>>>
>>> >>>>>>>>>>> --------------------------------------------------
>>> >>>>>>>>>>> From: "M K" <gedropi@xxxxxxxxx>
>>> >>>>>>>>>>> Sent: Wednesday, March 24, 2010 8:12 AM
>>> >>>>>>>>>>> To: <wireshark-users@xxxxxxxxxxxxx>
>>> >>>>>>>>>>> Subject: [Wireshark-users] from the past
>>> >>>>>>>>>>>
>>> >>>>>>>>>>>> Jeff Morriss suggested that I pose this question to you
>>> >>>>>>>>>>>> folks.
>>> >>>>>>>>>>>>
>>> >>>>>>>>>>>> Here is what I wrote:
>>> >>>>>>>>>>>> First:
>>> >>>>>>>>>>>> I first log onto Windows machine
>>> >>>>>>>>>>>> I log onto my Isp
>>> >>>>>>>>>>>> I log into my proxy
>>> >>>>>>>>>>>> Maybe do a few things online (eg. go to a few websites)
>>> >>>>>>>>>>>> Then log into Wireshark
>>> >>>>>>>>>>>>
>>> >>>>>>>>>>>> Next:
>>> >>>>>>>>>>>> When launching WS, immediately the capture starts a DNS
>>> >>>>>>>>>>>> authentication
>>> >>>>>>>>>>>> trace
>>> >>>>>>>>>>>> and an etherXXXXa* file with Windows & ISP usernames AND
>>> >>>>>>>>>>>> passwords
>>> >>>>>>>>>>>> is
>>> >>>>>>>>>>>> created.
>>> >>>>>>>>>>>> Since I expect WS to be literal, I would expect that those
>>> >>>>>>>>>>>> actions
>>> >>>>>>>>>>>> that
>>> >>>>>>>>>>>> had
>>> >>>>>>>>>>>> taken place in the past (logons & DNS authentication) would
>>> >>>>>>>>>>>> not
>>> >>>>>>>>>>>> be
>>> >>>>>>>>>>>> captured
>>> >>>>>>>>>>>> since WS had not been started when I logged on.  That means
>>> >>>>>>>>>>>> that
>>> >>>>>>>>>>>> this
>>> >>>>>>>>>>>> information is being cached or worse somewhere.  For my
>>> >>>>>>>>>>>> peace of
>>> >>>>>>>>>>>> mind,
>>> >>>>>>>>>>>> please
>>> >>>>>>>>>>>> can you tell me about this security issue?  Thank you.
>>> >>>>>>>>>>>> ......................
>>> >>>>>>>>>>>>
>>> >>>>>>>>>>>> Here is what Jeff wrote:
>>> >>>>>>>>>>>> Anyway, a brief answer: Wireshark on Windows relies on
>>> >>>>>>>>>>>> WinPCAP
>>> >>>>>>>>>>>> to
>>> >>>>>>>>>>>> do
>>> >>>>>>>>>>>> the
>>> >>>>>>>>>>>> capturing.  I'm pretty sure WinPCAP won't start capturing
>>> >>>>>>>>>>>> until
>>> >>>>>>>>>>>> you
>>> >>>>>>>>>>>> ask
>>> >>>>>>>>>>>> it
>>> >>>>>>>>>>>>
>>> >>>>>>>>>>>> to
>>> >>>>>>>>>>>> do so.  And I'm pretty sure that the OS's TCP/IP stack isn't
>>> >>>>>>>>>>>> going
>>> >>>>>>>>>>>> to
>>> >>>>>>>>>>>> cache
>>> >>>>>>>>>>>> stuff to give to WinPCAP after the fact.
>>> >>>>>>>>>>>>
>>> >>>>>>>>>>>> (BTW, the etherXXX file is just the temporary PCAP file that
>>> >>>>>>>>>>>> contains
>>> >>>>>>>>>>>> the
>>> >>>>>>>>>>>> packets that were captured--and what Wireshark displays for
>>> >>>>>>>>>>>> you.
>>> >>>>>>>>>>>> The
>>> >>>>>>>>>>>> fact
>>> >>>>>>>>>>>>
>>> >>>>>>>>>>>> that
>>> >>>>>>>>>>>> your password, etc., are in there just indicate that your
>>> >>>>>>>>>>>> password,
>>> >>>>>>>>>>>> etc.,
>>> >>>>>>>>>>>> were
>>> >>>>>>>>>>>> sent over the wire unencrypted.)
>>> >>>>>>>>>>>> ..............
>>> >>>>>>>>>>>> What Jeff described is what I expected but I believe that I
>>> >>>>>>>>>>>> understand
>>> >>>>>>>>>>>> now what I am seeing.  WS does its own DNS.  So, that
>>> >>>>>>>>>>>> explains
>>> >>>>>>>>>>>> the
>>> >>>>>>>>>>>> first question.
>>> >>>>>>>>>>>>
>>> >>>>>>>>>>>> The second issue, however, is still a big concern.  The
>>> >>>>>>>>>>>> etherXXXXa
>>> >>>>>>>>>>>> file always contains the complete (passwords included)
>>> >>>>>>>>>>>> authentication
>>> >>>>>>>>>>>> data plus more.  Again, this unsaved (by me) login
>>> >>>>>>>>>>>> information
>>> >>>>>>>>>>>> was
>>> >>>>>>>>>>>> sent over the wire in the past (PPP PAP), yet it is being
>>> >>>>>>>>>>>> saved
>>> >>>>>>>>>>>> (by
>>> >>>>>>>>>>>> ?)
>>> >>>>>>>>>>>> and put into this file in the present. How can I prevent
>>> >>>>>>>>>>>> this
>>> >>>>>>>>>>>> login
>>> >>>>>>>>>>>> info from being saved?  How can I encrypt this login info?
>>> >>>>>>>>>>>> This
>>> >>>>>>>>>>>> is
>>> >>>>>>>>>>>>
>>> >>>>>>>>>>>> a
>>> >>>>>>>>>>>> security risk.
>>> >>>>>>>>>>>>
>>> >>>>>>>>>>>>
>>> >>>>>>>>>>>> --
>>> >>>>>>>>>>>> All that is necessary for evil to succeed is that good men
>>> >>>>>>>>>>>> do
>>> >>>>>>>>>>>> nothing.
>>> >>>>>>>>>>>>
>>> >>>>>>>>>>>>              ~Edmund Burke
>>> >>>>>>>>>>>>
>>> >>>>>>>>>>>> ___________________________________________________________________________
>>> >>>>>>>>>>>> Sent via:    Wireshark-users mailing list
>>> >>>>>>>>>>>> <wireshark-users@xxxxxxxxxxxxx>
>>> >>>>>>>>>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>> >>>>>>>>>>>> Unsubscribe:
>>> >>>>>>>>>>>> https://wireshark.org/mailman/options/wireshark-users
>>> >>>>>>>>>>>>
>>> >>>>>>>>>>>>
>>> >>>>>>>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>> >>>>>>>>>>>
>>> >>>>>>>>>>>
>>> >>>>>>>>>>> ___________________________________________________________________________
>>> >>>>>>>>>>> Sent via:    Wireshark-users mailing list
>>> >>>>>>>>>>> <wireshark-users@xxxxxxxxxxxxx>
>>> >>>>>>>>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>> >>>>>>>>>>> Unsubscribe:
>>> >>>>>>>>>>> https://wireshark.org/mailman/options/wireshark-users
>>> >>>>>>>>>>>
>>> >>>>>>>>>>>
>>> >>>>>>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>> >>>>>>>>>>>
>>> >>>>>>>>>>
>>> >>>>>>>>>>
>>> >>>>>>>>>> --
>>> >>>>>>>>>> All that is necessary for evil to succeed is that good men do
>>> >>>>>>>>>> nothing.
>>> >>>>>>>>>>
>>> >>>>>>>>>>              ~Edmund Burke
>>> >>>>>>>>>>
>>> >>>>>>>>>> ___________________________________________________________________________
>>> >>>>>>>>>> Sent via:    Wireshark-users mailing list
>>> >>>>>>>>>> <wireshark-users@xxxxxxxxxxxxx>
>>> >>>>>>>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>> >>>>>>>>>> Unsubscribe:
>>> >>>>>>>>>> https://wireshark.org/mailman/options/wireshark-users
>>> >>>>>>>>>>
>>> >>>>>>>>>>
>>> >>>>>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>> >>>>>>>>>
>>> >>>>>>>>>
>>> >>>>>>>>> ___________________________________________________________________________
>>> >>>>>>>>> Sent via:    Wireshark-users mailing list
>>> >>>>>>>>> <wireshark-users@xxxxxxxxxxxxx>
>>> >>>>>>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>> >>>>>>>>> Unsubscribe:
>>> >>>>>>>>> https://wireshark.org/mailman/options/wireshark-users
>>> >>>>>>>>>
>>> >>>>>>>>>
>>> >>>>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>> >>>>>>>>>
>>> >>>>>>>>
>>> >>>>>>>>
>>> >>>>>>>> --
>>> >>>>>>>> All that is necessary for evil to succeed is that good men do
>>> >>>>>>>> nothing.
>>> >>>>>>>>
>>> >>>>>>>>              ~Edmund Burke
>>> >>>>>>>>
>>> >>>>>>>> ___________________________________________________________________________
>>> >>>>>>>> Sent via:    Wireshark-users mailing list
>>> >>>>>>>> <wireshark-users@xxxxxxxxxxxxx>
>>> >>>>>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>> >>>>>>>> Unsubscribe:
>>> >>>>>>>> https://wireshark.org/mailman/options/wireshark-users
>>> >>>>>>>>
>>> >>>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>> >>>>>>>
>>> >>>>>>>
>>> >>>>>>> ___________________________________________________________________________
>>> >>>>>>> Sent via:    Wireshark-users mailing list
>>> >>>>>>> <wireshark-users@xxxxxxxxxxxxx>
>>> >>>>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>> >>>>>>> Unsubscribe:
>>> >>>>>>> https://wireshark.org/mailman/options/wireshark-users
>>> >>>>>>>
>>> >>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>> >>>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>> --
>>> >>>>>> All that is necessary for evil to succeed is that good men do
>>> >>>>>> nothing.
>>> >>>>>>
>>> >>>>>>              ~Edmund Burke
>>> >>>>>>
>>> >>>>>> ___________________________________________________________________________
>>> >>>>>> Sent via:    Wireshark-users mailing list
>>> >>>>>> <wireshark-users@xxxxxxxxxxxxx>
>>> >>>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>> >>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>> >>>>>>
>>> >>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>> >>>>>
>>> >>>>>
>>> >>>>> ___________________________________________________________________________
>>> >>>>> Sent via:    Wireshark-users mailing list
>>> >>>>> <wireshark-users@xxxxxxxxxxxxx>
>>> >>>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>> >>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>> >>>>>
>>> >>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>> >>>>>
>>> >>>>
>>> >>>>
>>> >>>> --
>>> >>>> All that is necessary for evil to succeed is that good men do
>>> >>>> nothing.
>>> >>>>
>>> >>>>              ~Edmund Burke
>>> >>>>
>>> >>>> ___________________________________________________________________________
>>> >>>> Sent via:    Wireshark-users mailing list
>>> >>>> <wireshark-users@xxxxxxxxxxxxx>
>>> >>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>> >>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>> >>>>
>>> >>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>> >>>
>>> >>>
>>> >>> ___________________________________________________________________________
>>> >>> Sent via:    Wireshark-users mailing list
>>> >>> <wireshark-users@xxxxxxxxxxxxx>
>>> >>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>> >>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>> >>>
>>> >>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>> >>>
>>> >>
>>> >>
>>> >> --
>>> >> All that is necessary for evil to succeed is that good men do nothing.
>>> >>
>>> >>              ~Edmund Burke
>>> >>
>>> >> ___________________________________________________________________________
>>> >> Sent via:    Wireshark-users mailing list
>>> >> <wireshark-users@xxxxxxxxxxxxx>
>>> >> Archives:    http://www.wireshark.org/lists/wireshark-users
>>> >> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>> >>
>>> >> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>> >
>>> >
>>> > ___________________________________________________________________________
>>> > Sent via:    Wireshark-users mailing list
>>> > <wireshark-users@xxxxxxxxxxxxx>
>>> > Archives:    http://www.wireshark.org/lists/wireshark-users
>>> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>> >
>>> > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>> >
>>>
>>>
>>> --
>>> All that is necessary for evil to succeed is that good men do nothing.
>>>
>>>              ~Edmund Burke
>>>
>>> ___________________________________________________________________________
>>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>>> Archives:    http://www.wireshark.org/lists/wireshark-users
>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>
>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>
>>
>>
>> ___________________________________________________________________________
>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>> Archives:    http://www.wireshark.org/lists/wireshark-users
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>
>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>