I work at a University and one of the professors wants IT to install Wireshark in one of the teaching labs for a class. We are concerned that the students will take this opportunity to sniff out password packets and other personal information. When packets are captured, can the contents actually be viewed, or are they encrypted? asked 06 Feb '13, 06:47  rfcomm2k edited 06 Feb '13, 06:50 |
3 Answers:
Any encryption depends on the protocol used by the password packets, Wireshark just displays what is captured from the interfaces. Note that encrypted info can be decrypted by Wireshark, given sufficient extra information that isn't available purely by capturing traffic, e.g. encrypted WiFi traffic given the connection password, or even TLS\SSL traffic given the server secret key. Depending on the network setup, e.g. switched ethernet, the available traffic to capture will be restricted to that available from the switch port which will limit the opportunities for misbehaviour. answered 06 Feb '13, 07:36  grahamb ♦ Of course some encryption schemes, WEP for example, can be easily cracked. (06 Feb '13, 07:59) cmaynard ♦♦ Dos anyone still consider WEP an encryption scheme these days? It's more an obfuscation than anything else. (06 Feb '13, 08:10) grahamb ♦ Unfortunately, some people are still using WEP. WPA has also been cracked though. (06 Feb '13, 08:21) cmaynard ♦♦ |
Depending upon the class, using Wireshark can be entirely appropriate. See this question for another discussion of this issue, from the teacher's point of view. Regardless, I bet you've got some technically knowledgeable students who have already figured out how to capture traffic on your network. Rather than trying to keep Wireshark off the network, I'd focus more on ensuring that sensitive network traffic is appropriately encrypted. I would think that your IT staff should already be using Wireshark in the course of maintaining the network, and they should be aware of what traffic crosses the network unencrypted. answered 06 Feb '13, 09:58  Jim Aragon |
One way to mitigate this worry is to limit the users that can actually capture traffic. Assuming sufficiently controlled installations and permissions you can limit the access to the capture engine (dumpcap (U*IX) or WinPcap (Windows)), or not install the capture engines at all. This way the labs still can use the dissection capabilities of Wireshark, but using previously captured files only, not life traffic. answered 06 Feb '13, 07:59  Jaap ♦ |
IMHO you have it slightly backwards. You should intentionally introduce fake passwords and personal information on the wire. It would teach an important lesson about the importance of data encryption and likely make the lab more fun an interesting.
I bet some of them are doing exactly that right now, you just did not know yet ;-)) Just check how many of them connect to your network with their own laptop...