Wireshark mailing list archives

Re: Secured way of using Wireshark

From: Nagendrababu Maseedu <Nagendra.Babu.Maseedu () convergys com>
Date: Wed, 16 Jun 2010 12:32:32 +0530

Hi Martin,

Indeed Guy's reply fits well. And I agree that human security control works well. But a human is a human (rather a 
greedy animal :-) and curiosity spares none.

When I initially posted this question I did not put forth my views/suggestions. Hence, the confusion. Sorry for that.

Now it is clear as to what my call is for this issue.

Thanks to all who replied to my topic and helped me decide how to solve this issue.

Kind regards,
Nag.

________________________________
From: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] On Behalf Of Martin 
Visser
Sent: Wednesday, June 16, 2010 12:08 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Secured way of using Wireshark

Nag.,

I think Guy has pretty much filled you in on the Remote Capture interface. The reality is that if your users do have 
admin rights to a machine then they can do pretty much anything they like. While you could make the Remote Packet 
Capture Service only runnable by certain users, you would need to make sure that no user can "trump" those change with 
Admin rights.

(And of course you allow users to physical have access to machines (and don't lock down the BIOS, USB ports, etc), they 
can pretty much boot up anything they like.

Usually many such security issues are better solved through human security controls (telling people to not do the wrong 
thing if they want to keep their job) then onerous technical measures.

Regards, Martin

MartinVisser99 () gmail com<mailto:MartinVisser99 () gmail com>

On Wed, Jun 16, 2010 at 3:01 PM, Maynard, Chris <Christopher.Maynard () gtech com<mailto:Christopher.Maynard () gtech 
com>> wrote:
I was confused by the question too, but if I focus only on the question asked, namely, "Is there a way to capture 
packets from/to a selected list of IP address on a LAN?", then the answer is yes.

First you must set things up so the machine doing the capturing has access to the packets of interest.  This may 
involve adding a hub, enabling port mirroring on a switch, etc.  See http://wiki.wireshark.org/CaptureSetup for more 
information.

And second, you must use an appropriate capture filter.  For example, if you want to capture all packets sent from/to 2 
hosts (assume IP addresses IP1 and IP2), to any other host then you might use the following capture filter to 
accomplish this: "host IP1 or host IP2".  If you only want to see packets sent between those 2 hosts, then you would 
use, "host IP1 and host IP2".  See http://wiki.wireshark.org/CaptureFilters for more information on capture filters.

Now if you want to "restrict the packet capturing to a set of machines ...", then that's a different problem to solve.

- Chris

________________________________
From: wireshark-users-bounces () wireshark org<mailto:wireshark-users-bounces () wireshark org> 
[mailto:wireshark-users-bounces () wireshark org<mailto:wireshark-users-bounces () wireshark org>] On Behalf Of Martin 
Visser
Sent: Tuesday, June 15, 2010 8:57 PM

To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Secured way of using Wireshark

Nag,

I'm not sure what you mean by your question. Capturing packets is for the most part passive, in that you are saving 
packets to a file for viewing. Wireshark does not propagate packets to the rest of the network, no matter how virus 
laden they are. (Certainly as long as those packets are not specially crafted to maybe exploit a vulnerability in 
wireshark itself, which while it ihas been done, is very very rarely actually seen in the wild).

Regards, Martin

MartinVisser99 () gmail com<mailto:MartinVisser99 () gmail com>

On Tue, Jun 15, 2010 at 6:55 PM, Nagendrababu Maseedu <Nagendra.Babu.Maseedu () convergys 
com<mailto:Nagendra.Babu.Maseedu () convergys com>> wrote:
Hi,

Is there a way to capture packets from/to a selected list of IP address on a LAN?
The need is to restrict the packet capturing to a set of machines so that security breach does not happen on other 
machines on the same network.

Please let me know if you have any other mechanism to satisfy this need.


Kind regards,
Nag.

________________________________
NOTICE: The information contained in this electronic mail transmission is intended by Convergys Corporation for the use 
of the named individual or entity to which it is directed and may contain information that is privileged or otherwise 
confidential. If you have received this electronic mail transmission in error, please delete it from your system 
without copying or forwarding it, and notify the sender of the error by reply email or by telephone (collect), so that 
the sender's address records can be corrected.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org<mailto:wireshark-users () wireshark org>>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org<mailto:wireshark-users-request () wireshark 
org>?subject=unsubscribe


CONFIDENTIALITY NOTICE: The contents of this email are confidential

and for the exclusive use of the intended recipient. If you receive this

email in error, please delete it from your system immediately and

notify us either by email, telephone or fax. You should not copy,

forward, or otherwise disclose the content of the email.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org<mailto:wireshark-users () wireshark org>>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org<mailto:wireshark-users-request () wireshark 
org>?subject=unsubscribe


________________________________
NOTICE: The information contained in this electronic mail transmission is intended by Convergys Corporation for the use 
of the named individual or entity to which it is directed and may contain information that is privileged or otherwise 
confidential. If you have received this electronic mail transmission in error, please delete it from your system 
without copying or forwarding it, and notify the sender of the error by reply email or by telephone (collect), so that 
the sender's address records can be corrected.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

Re: Secured way of using Wireshark, (continued)
- - - Re: Secured way of using Wireshark Guy Harris (Jun 15)
    - Re: Secured way of using Wireshark David H. Lipman (Jun 16)
    - Re: Secured way of using Wireshark Maynard, Chris (Jun 17)
    - Troubleshooting VoIP RTP streams with Wireshark Charles Wu (Jun 17)
    - Re: Troubleshooting VoIP RTP streams with Wireshark Jaap Keuter (Jun 17)
    - Re: Secured way of using Wireshark Jakub Zawadzki (Jun 17)
    - Re: Secured way of using Wireshark Maynard, Chris (Jun 17)
    - Re: Secured way of using Wireshark David H. Lipman (Jun 17)
  - Re: Secured way of using Wireshark Maynard, Chris (Jun 15)
    - Re: Secured way of using Wireshark Martin Visser (Jun 15)
    - Re: Secured way of using Wireshark Nagendrababu Maseedu (Jun 16)