Date: Tue, 2 Feb 1999 23:32:12 -0600 (CST) From: James Wyatt <jwyatt@RWSystems.net> To: Peter Jeremy <peter.jeremy@auss2.alcatel.com.au> Cc: security@FreeBSD.ORG Subject: Re: tcpdump Message-ID: <Pine.BSF.4.05.9902022312000.1812-100000@kasie.rwsystems.net> In-Reply-To: <99Feb3.103940est.40334@border.alcanet.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 3 Feb 1999, Peter Jeremy wrote:
> James Wyatt <jwyatt@RWSystems.net> wrote:
> >Don't make more BPFs than you need (usually 1)
> If you use multiple network interfaces (including ppp/lpip), having a
> second BPF can be useful when you're trying to resolve routing problems.
> If you're using DHCP, you'll need a spare BPF for dhcpd.
The line you quote above says make two if you need two. We don't have DHCP
on this campus yet, but will 99Q2. Thanks for the hint about dhcpd...
> > and leave tcpdump running
> >to lock it. If someone gets in and gets rootly, they can use it to sniff
> This doesn't buy you anything:
> 1) Anyone with root access can kill your tcpdump to grab the BPF
> (or just run ktrace on it to grab the output without alerting you).
Most folks who get in and run scripts, don't ktrace and the load would be
noticable, but you are right about the vulnerability. I was more stating
that if they have to kill something, you might notice the dead session...
> 2) Anyone with physical access to your network can achieve the same
> thing with sniffer software on a laptop.
Absoulutely. I've had folks ask about locking MAC addresses on managed
hubs for this reason. Doesn't help when you have desktop hubs, though. It
is another reason to unpatch unused ENet outlets as well. They can also
install a Win32 sniffer on office boxes with Back Orifice (a really cool
tool at times). I do what I can on my hosts and firewall the rest, but I'm
not deluded into thinking I'm solving the world's problems. btw: If *I*
have it on *my* laptop that's a feature... 8{)
> Running tcpdump (especially in promiscuous mode) can substantially
> increase the load on your system. You _don't_ want to do this if
> your machine is on a heavily loaded network.
Restricting tcpdump by host/port/protocol/etc can help this a lot, but the
card and driver still consume more CPU in promiscuous mode. On the laptop,
we have to restrict or it drops packets with the 486. 8{(
> I've seen suggestions (I can't recall where) that you might as well
> "chmod 666 /dev/bpf*" to more accurately reflect the difficulty of
> network snooping (although I think this is going too far).
As currently set, you still have to break root on a host that has the
interfaces you want. In a switched environment, try for a boundry host.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9902022312000.1812-100000>