This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Issue 1: Security Configuration Wireshark starts a Windows service (titled “NPF Service”) which enabled network traffic sniffing on the Windows OS it is running on. This service continues to run after the Wireshark software has been shut down. It will continue to run (and can be used to sniff network traffic) until the machine is shut down or rebooted.

How would I be able to shutdown the NPF service upon exiting Wireshark?

Issue 2: Data Confidentiality Wireshark exports (.pcap-based Packet Capture files) often contain sensitive information such as routing information, IP Addresses, as well as cipher-capabilities (found in handshakes for encrypted protocols) and should be protected as much as possible through the their lifetimes.

How can they securely be protected since they may contain confidential information

asked 07 Feb '13, 07:48

easye609's gravatar image

easye609
11114
accept rate: 0%

edited 07 Feb '13, 07:49


How would I be able to shutdown the NPF service upon exiting Wireshark?

by stopping it manually from an elevated DOS box (sc stop npf).

How can they securely be protected since they may contain confidential information

By encrypting it with your preferred tool (e.g. those mentioned by @Jasper).

BTW: Honestly, those 'findings' are 'level three' findings that usually go into a report only if nothing serious was found in an audit ;-)) I have seen similar things, as some (not so clever) customers are not happy to hear that there is no serious problem in their environment. They prefer to get a 'result' for the money they spent :-)) Well, obviously they get what they ask for.

Explanation:

Issue 1:

It will continue to run (and can be used to sniff network traffic) until the machine is shut down or rebooted.

Well, yes. But how hard would it be to simply start Wireshark a second time to capture data?? So, not NPF is the problem. The real problem is, that 'something' (Malware) or someone (bad user) would be able to misuse the NPF service. In both cases it's not the NPF service that poses a risk. It's that fact that either of the two (malware, bad user) has access to that system, which is probably due to a bigger security problem in your environment. So, the 'finding' of the auditor implies that it is possible to misuse the NPF service, but he/she does not explain why this would be possible and how to protect against those risks ;-))

Issue 2:

(.pcap-based Packet Capture files) often contain sensitive information such as routing information, IP Addresses, as well as cipher-capabilities

Well, yes. That's the purpose of a network troubleshooting tool and it is absolutely obvious that you need to properly protect that information. Unfortunately the 'auditor' mentioned only things that are totally uncritical.

such as routing information, IP Addresses, as well as cipher-capabilities (found in handshakes for encrypted protocols)

come on, that's all 'publicly' available information that needs no protection at all. He/She forgot to mention the more interesting things:

  • user credentials (username/password)
  • transmitted e-mails, documents, etc.

So, please ask your 'auditor' why he/she demands to protect irrelevant information, while he/she did not mention the things that really need protection !??! Or just forward my answer to him/her and ask for a comment :-))

Regards
Kurt

permanent link

answered 07 Feb '13, 08:18

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 07 Feb '13, 16:57

  1. You could write a batch script that starts npf service and then calls Wireshark.exe, and stops npf service again when Wireshark quits

  2. A couple of things you can do include: storing capture files in encrypted containers (TrueCrypt, PGP, 7Zip with password), or you could anonymize parts of the file using tools like pktanon, bittwiste or tcprewrite if the capture file cannot be guaranteed to stay within trusted boundaries.

permanent link

answered 07 Feb '13, 07:52

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

a batch script that starts npf service and then calls Wireshark.exe,

Just a thought: you need admin privileges to start/stop the service. That means the script will run with admin privileges as well and then start Wireshark with the same privileges. That would destroy the privilege separation.

(07 Feb '13, 08:01) Kurt Knochner ♦

Okay, then maybe a three-step process... two batches for starting and stopping the service (or one with a pause key between start and stop). And Wireshark, started by icon as usual.

(07 Feb '13, 08:09) Jasper ♦♦

Hmmm third party software tends to create more problems then fix them where I work unfortunately. Any ideas that may not require third party software?

(07 Feb '13, 08:09) easye609

What do you mean by third party software? A batch script is a system tool. Or do you mean Wireshark?

(07 Feb '13, 08:11) Jasper ♦♦

I was referencing your solution to my second problem.

Though a batch script may also propose issues since it would have to execute higher then users privileges that wants to use Wireshark since in most cases they do not have admin privileges.

(07 Feb '13, 08:14) easye609

Well, if you're concerned someone is capturing information while not being allowed to, but you need Wireshark installed nonetheless, you need to decide which way to go.

As long as Wireshark is installed, it's either NPF running and a user with non-admin rights can capture, or an admin has to run things anyway.

If you don't want NPF running, an admin has to be there to start and stop it to allow a user to capture when he is supposed to.

(07 Feb '13, 08:31) Jasper ♦♦
showing 5 of 6 show 1 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×61
×36
×19

question asked: 07 Feb '13, 07:48

question was seen: 4,566 times

last updated: 07 Feb '13, 16:57

p​o​w​e​r​e​d by O​S​Q​A