From owner-freebsd-security Wed Dec 11 15:17:50 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id PAA17332 for security-outgoing; Wed, 11 Dec 1996 15:17:50 -0800 (PST) Received: from super-g.inch.com (super-g.com [204.178.32.161]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id PAA17324 for ; Wed, 11 Dec 1996 15:17:47 -0800 (PST) Received: from localhost (spork@localhost) by super-g.inch.com (8.8.4/8.6.9) with SMTP id SAA12051; Wed, 11 Dec 1996 18:21:25 -0500 (EST) Date: Wed, 11 Dec 1996 18:21:24 -0500 (EST) From: spork X-Sender: spork@super-g.inch.com To: Brian Tao cc: Nate Williams , FREEBSD-SECURITY-L Subject: Re: Risk of having bpf0? (was URGENT: Packet sniffer found on my system) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Another thing to note is that some switched hubs support a nice feature called "port mirroring" that lets you (depending on $$ paid for switch) mirror all traffic on all (or selected) ports to an extra port where you plug in your monitoring station and sniff away... Charles On Wed, 11 Dec 1996, Brian Tao wrote: > On Wed, 11 Dec 1996, Nate Williams wrote: > > > > I would *certainly* disable BPF on a public server. You can always use > > another box to look at packets that isn't publically available. > > The servers here are all on switched ports, so I can't monitor > all packets on the LAN. I suppose that was one saving grace which > prevented the attacker from doing more damage than he did. I think > the best thing to do is disable bpf, and set up a management station > on the router segment to watch the packets. > -- > Brian Tao (BT300, taob@io.org, taob@ican.net) > Senior Systems and Network Administrator, Internet Canada Corp. > "Though this be madness, yet there is method in't" > >