Wireshark-users: [Wireshark-users] TCP Decoding differences between Ethereal 0.99 and Wireshark 0
From: "Small, James" <JSmall@xxxxxxxxxxxxxx>
Date: Tue, 31 Oct 2006 23:50:40 -0500
I teach networking and security at a community college.  When explaining
to students why they should bother to use ssh and not telnet I like to
show how easy it is to capture plain text passwords by firing up
Wireshark and doing a live demo.  Sometimes a picture/demo is worth a
thousand words.  Even though this is fairly common knowledge for
experience network/security folks, I find many people are shocked to see
just how easy it is.

At any rate, my demo consists of telneting to a router while running
Wireshark and logging in.  I then use the follow the TCP stream option
to show that the password is easily exposed.

Except--when I follow the TCP stream with Ethereal 0.99, this works
great.  However, when I do the same thing with Wireshark 0.99.3/4 (I've
tried 0.99.3 and just uninstalled/re-installed 0.99.4), the password
does not appear in the ASCII/Raw decoding screens.  If I look at the
individual packets I can piece together the password.  Also, if I use
Hex Dump option, it's not as easy to read as in 0.99 but you can see it.

Is there a preference change or something else from 0.99 to 0.99.3/4
that would explain this?

Thanks,
  --Jim