You can look at this page : http://www.cromwell-intl.com/unix/openbsd-dell.html (I never try) -- Julien Cabillot Technicien Unix SDV Plurimedia
Netdude might be of some use (it's a front-end to tcpdump), but I usually just use tcpdump directly (some tips: -vv to increase verbosity, -X for a hex+ascii dump, -s<##> to increase snap This is for security reasons. The dissectors are often not coded with security in mind, which isn't good since they usually work with untrusted network data. For tcpdump(8) in the base system, the dissectors are run with reduced privileges, protecting from this sort of problem, making it safer. Also the UI is built using libraries which are not meant to be run with root privileges (http://www.gtk.org/setuid.html explicitly talks about setuid root programs, but I think this would also apply to any programs which need to run as root: "In the opinion of the GTK+ team, the only correct way to write a setuid program with a graphical user interface is to have a setuid backend that communicates with the non-setuid graphical user interface via a mechanism such as a pipe and that considers the input it receives to be untrusted.") So, really it needs to be split into 3: UI with normal user privileges, privileged access to the network, and reduced privilege for dissectors. There are some wireshark ports floating around where some work has been done towards dropping privileges, but they're not without problems.
If you don't mind building wireshark yourself, one way you can run it with limited privileges is: 1. install wireshark from sources 2. groupadd shark 3. chgrp shark /wherever/wireshark /dev/bpf* 4. chmod g+s,o-x /wherever/wireshark 5. chmod g+rw /dev/bpf* 6. use sudo to grant access to wireshark Of course, if a bad guy _does_ get control of wireshark, he OWNS your network, but at least you're not totally rooted. Take your chances. --Barry
How so? Given that all it is a frontend to libpcap. And how does this
tcpdump runs the scary code in a jail.
Thanks a lot Cabillot, Kevin, Barry, Ray, Bryan and Stuart for the Detailed Information :-) Kind Regards Siju
ah, Nikns' port: this isn't a full jail, but it does drop privileges so it's a start. http://wiki.wireshark.org/Development/PrivilegeSeparation references this (so, some wireshark developers do recognise it needs to be done). IIRC (it's a while since I looked at it) there are some problems: you run the whole thing as root (including the GUI, which uses toolkits which are specifically not meant to be run as root), then after opening the capture device privs are dropped, at which point you can no longer access files you should have access to. There is another hackish workaround: mkfifo a file, then use tcpdump to do the capture into that. Run wireshark as a normal or (better) jailed user, and read from the FIFO. Messy, though... Anyway, this is probably of limited interest on misc@, so if anyone is interested in continuing this, ports@ is a better place (or the wireshark lists).
I like ettercap.
|Christoph Lameter||[PATCH 1/2] Make page->private usable in compound pages V1|
|Luben Tuikov||Re: Integration of SCST in the mainstream Linux kernel|
|Alexey Dobriyan||Re: [22.214.171.124 review 09/84] Fix rfkill IRQ flags.|
|Michal Nazarewicz||Re: [PATCH] USB: Gadget: g_multi: added INF file for gadget with multiple configur...|
|Jesse Barnes||Re: PCI probing changes|
|Jakub Narebski||Re: GSoC 2008 - Mentors Wanted!|
|Jan Harkes||Re: git-svn and huge data and modifying the git-svn-HEAD branch directly|
|Andy Parkins||git-fetch fails with error code 128|
|Marcus Griep||Re: [PATCH 1/3] Git.pm: Add faculties to allow temp files to be cached|
|Junio C Hamano||Re: [JGIT PATCH 2/2] Decrease the fetch pack client buffer to the lower minimum|
|Linux Kernel Mailing List||ARM: 5970/1: nomadik-gpio: fix spinlock usage|
|Linux Kernel Mailing List||sh-sci: update receive error handling for muxed irqs|
|Linux Kernel Mailing List||No need to do lock_super() for exclusion in generic_shutdown_super()|
|Linux Kernel Mailing List||x86, msr: Export the register-setting MSR functions via /dev/*/msr|
|Linux Kernel Mailing List||Input: gpio-keys - add support for disabling gpios through sysfs|
|Eric Dumazet||[PATCH] net: ALIGN/PTR_ALIGN cleanup in alloc_netdev_mq()/netdev_priv()|
|Patrick McHardy||[NET_SCHED]: sch_ingress: remove netfilter support|
|Rose, Gregory V||RE: __bad_udelay in network driver breaks build|
|Patrick McHardy||Re: no reassembly for outgoing packets on RAW socket|
|Frans Pop||svc: failed to register lockdv1 RPC service (errno 97).|
|ropers||Re: Real men don't attack straw men|
|elitdostlar||Seks partneri arayan bayanlar bu adreste - 8878xs706x6438|
|Marcus Andree||Re: This is what Linus Torvalds calls openBSD crowd|
|Lars D. Noodén||Re: sshd.config and AllowUsers|
|Henning Brauer||Re: Sun Blade 1000?|