From owner-freebsd-questions@FreeBSD.ORG  Fri Oct  7 13:45:53 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D678916A41F
	for <freebsd-questions@freebsd.org>;
	Fri,  7 Oct 2005 13:45:53 +0000 (GMT) (envelope-from cswiger@mac.com)
Received: from vms040pub.verizon.net (vms040pub.verizon.net [206.46.252.40])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9350D43D4C
	for <freebsd-questions@freebsd.org>;
	Fri,  7 Oct 2005 13:45:53 +0000 (GMT) (envelope-from cswiger@mac.com)
Received: from [192.168.1.3] ([68.161.71.31])
	by vms040.mailsrvcs.net (Sun Java System Messaging Server 6.2 HotFix
	0.04 (built Dec 24 2004)) with ESMTPA id
	<0INZ004S4SWGNS31@vms040.mailsrvcs.net> for
	freebsd-questions@freebsd.org; Fri, 07 Oct 2005 08:45:53 -0500 (CDT)
Date: Fri, 07 Oct 2005 09:45:54 -0400
From: Chuck Swiger <cswiger@mac.com>
In-reply-to: <20051007084807.13455.qmail@rahul.net>
To: John Conover <conover@rahul.net>
Message-id: <43467C12.1060001@mac.com>
Organization: The Courts of Chaos
MIME-version: 1.0
Content-type: text/plain; charset=us-ascii; format=flowed
Content-transfer-encoding: 7bit
X-Accept-Language: en-us, en
References: <20051007084807.13455.qmail@rahul.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12)
	Gecko/20050915
Cc: freebsd-questions@freebsd.org
Subject: Re: Security risk associated with a NIC's promiscuous mode?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Oct 2005 13:45:53 -0000

John Conover wrote:
> Is there any security risk associated with a NIC's promiscuous mode
> while running tcpdump and/or arpwatch?

A mild one.  For example, I believe there was recently a security bug in 
tcpdump's string handling which could be exploited by tcpdump seeing a 
maliciously-crafted packet.  Running the NIC in promisc mode means that packet 
just has to go by, rather than being sent specificly to the machine running the 
sniffer...

In other words, it's not a great idea to run a sniffer on your most important 
fileserver or whatever, rather than an isolated laptop or other test system.

-- 
-Chuck