Hi,

Both

http://www.wireshark.org/ and http://www.wireshark.org/

are not found in ports. Could somebody recommend any softwarew in 4.2
ports that has related functionality?

Thank you so much

Kind Regards

Siju

[ message continues ]

You can look at this page :
http://www.cromwell-intl.com/unix/openbsd-dell.html
(I never try)



-- 
Julien Cabillot
Technicien Unix
SDV Plurimedia

[ message continues ]

Netdude might be of some use (it's a front-end to tcpdump), but
I usually just use tcpdump directly (some tips: -vv to increase
verbosity, -X for a hex+ascii dump, -s<##> to increase snap

This is for security reasons.

The dissectors are often not coded with security in mind, which
isn't good since they usually work with untrusted network data.
For tcpdump(8) in the base system, the dissectors are run with
reduced privileges, protecting from this sort of problem, making
it safer.

Also the UI is built using libraries which are not meant to be
run with root privileges (http://www.gtk.org/setuid.html explicitly
talks about setuid root programs, but I think this would also apply
to any programs which need to run as root: "In the opinion of the
GTK+ team, the only correct way to write a setuid program with a
graphical user interface is to have a setuid backend that
communicates with the non-setuid graphical user interface via
a mechanism such as a pipe and that considers the input it
receives to be untrusted.") So, really it needs to be split
into 3: UI with normal user privileges, privileged access to
the network, and reduced privilege for dissectors.

There are some wireshark ports floating around where some
work has been done towards dropping privileges, but they're
not without problems.

[ message continues ]

If you don't mind building wireshark yourself, one way you can run it
with limited privileges is:

1. install wireshark from sources
2. groupadd shark
3. chgrp shark /wherever/wireshark /dev/bpf*
4. chmod g+s,o-x /wherever/wireshark
5. chmod g+rw /dev/bpf*
6. use sudo to grant access to wireshark

Of course, if a bad guy _does_ get control of wireshark, he OWNS your
network, but at least you're not totally rooted.  Take your chances.

--Barry

[ message continues ]

How so? Given that all it is a frontend to libpcap. And how does this  

[ message continues ]

tcpdump runs the scary code in a jail.

[ message continues ]

Thanks a lot Cabillot, Kevin, Barry, Ray, Bryan and Stuart for the
Detailed Information :-)

Kind Regards

Siju

[ message continues ]

Doesn't http://marc.info/?m=117390704628262 do the same thing?  I 
haven't looked at it, just saw the post.

[ message continues ]

ah, Nikns' port: this isn't a full jail, but it does drop privileges
so it's a start. http://wiki.wireshark.org/Development/PrivilegeSeparation
references this (so, some wireshark developers do recognise it needs to
be done).

IIRC (it's a while since I looked at it) there are some problems:
you run the whole thing as root (including the GUI, which uses
toolkits which are specifically not meant to be run as root), then
after opening the capture device privs are dropped, at which point
you can no longer access files you should have access to.

There is another hackish workaround: mkfifo a file, then use
tcpdump to do the capture into that. Run wireshark as a normal or
(better) jailed user, and read from the FIFO. Messy, though...

Anyway, this is probably of limited interest on misc@, so
if anyone is interested in continuing this, ports@ is a better
place (or the wireshark lists).

[ message continues ]

I like ettercap.

[ message continues ]