Wireshark mailing list archives
Re: from the past
From: "Gianluca Varenni" <gianluca.varenni () cacetech com>
Date: Wed, 24 Mar 2010 09:01:13 -0700
Are you saying that when you start Wireshark, wireshark itself starts capturing, *before* you click the start capture button on it? Which adapter is wireshark capturing from? Have a nice day GV -------------------------------------------------- From: "M K" <gedropi () gmail com> Sent: Wednesday, March 24, 2010 8:12 AM To: <wireshark-users () wireshark org> Subject: [Wireshark-users] from the past
Jeff Morriss suggested that I pose this question to you folks. Here is what I wrote: First: I first log onto Windows machine I log onto my Isp I log into my proxy Maybe do a few things online (eg. go to a few websites) Then log into Wireshark Next: When launching WS, immediately the capture starts a DNS authentication trace and an etherXXXXa* file with Windows & ISP usernames AND passwords is created. Since I expect WS to be literal, I would expect that those actions that had taken place in the past (logons & DNS authentication) would not be captured since WS had not been started when I logged on. That means that this information is being cached or worse somewhere. For my peace of mind, please can you tell me about this security issue? Thank you. ...................... Here is what Jeff wrote: Anyway, a brief answer: Wireshark on Windows relies on WinPCAP to do the capturing. I'm pretty sure WinPCAP won't start capturing until you ask it to do so. And I'm pretty sure that the OS's TCP/IP stack isn't going to cache stuff to give to WinPCAP after the fact. (BTW, the etherXXX file is just the temporary PCAP file that contains the packets that were captured--and what Wireshark displays for you. The fact that your password, etc., are in there just indicate that your password, etc., were sent over the wire unencrypted.) .............. What Jeff described is what I expected but I believe that I understand now what I am seeing. WS does its own DNS. So, that explains the first question. The second issue, however, is still a big concern. The etherXXXXa file always contains the complete (passwords included) authentication data plus more. Again, this unsaved (by me) login information was sent over the wire in the past (PPP PAP), yet it is being saved (by ?) and put into this file in the present. How can I prevent this login info from being saved? How can I encrypt this login info? This is a security risk. -- All that is necessary for evil to succeed is that good men do nothing. ~Edmund Burke ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- from the past M K (Mar 24)
- Re: from the past Gianluca Varenni (Mar 24)
- Re: from the past M K (Mar 24)
- Re: from the past Gianluca Varenni (Mar 24)
- Re: from the past M K (Mar 24)
- Re: from the past Graham Bloice (Mar 24)
- Re: from the past M K (Mar 24)
- Re: from the past Graham Bloice (Mar 24)
- Re: from the past M K (Mar 24)
- Re: from the past Jeff Morriss (Mar 24)
- Re: from the past M K (Mar 24)
- Re: from the past Gianluca Varenni (Mar 24)
- Re: from the past Gianluca Varenni (Mar 24)
- Re: from the past M K (Mar 24)