From owner-freebsd-questions Tue Apr 20 5:35: 6 1999 Delivered-To: freebsd-questions@freebsd.org Received: from iaces.com (horton.iaces.com [204.147.87.98]) by hub.freebsd.org (Postfix) with ESMTP id 99A6015598 for ; Tue, 20 Apr 1999 05:35:02 -0700 (PDT) (envelope-from proot@iaces.com) Received: (from proot@localhost) by iaces.com (8.9.3/8.9.3) id HAA02926; Tue, 20 Apr 1999 07:32:00 -0500 (CDT) From: "Paul T. Root" Message-Id: <199904201232.HAA02926@iaces.com> Subject: Re: Sniffers and Sniffer detection [General UNIX question] In-Reply-To: <6C37EE640B78D2118D2F00A0C90FCB441A6090@site2s1> from Christopher Michaels at "Apr 19, 99 05:34:25 pm" To: ChrisMic@clientlogic.com (Christopher Michaels) Date: Tue, 20 Apr 1999 07:32:00 -0500 (CDT) Cc: grog@lemis.com, freebsd-questions@FreeBSD.ORG X-Organization: USWEST !nterprise Networking - ACES X-Phone: (612) 664-3385 X-Fax: (612) 664-4779 X-Page: (800) SKY-PAGE PIN: 537-7270 X-Address: 600 Stinson Blvd, Fl 1S X-Address: Minneapolis, MN 55413 X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG In a previous message, Christopher Michaels said: > > -----Original Message----- > > From: Greg Lehey [SMTP:grog@lemis.com] > > Sent: Sunday, April 18, 1999 4:41 AM > > To: Eric S. Nooden; freebsd-questions@FreeBSD.ORG > > Subject: Re: Sniffers and Sniffer detection [General UNIX question] > > > > > > > 2. Is it possible to install a sniffer, in a user account (with no root > > > access), and sniff the network and watch for passwords? > > > > FreeBSD won't allow you to set promiscuous mode unless you're root. > > > > > This brought up a couple questions in my mind... > > 1. If the interface is already in promiscuous mode (I realize the > implication of this), is it possible for a regular user to use a sniffer > program? No, I tried it. However, the previous answer isn't entirely write. Promiscuous mode is a factor of the permissions on the /dev/bpf? device. When I set bpf0 to 660 root.wheel, and I'm in wheel, I was able to use tcpdump. When I set it to 600 root.wheel I couldn't. Even when in another window root was running tcpdump. > 2. How do you take the interface out of promiscuous mode once it's > in it? This I'm not sure, I hope that this closes automatically. -- ON THE ROLE OF BEAUTY AND HANDSOMENESS IN LOVE "Beauty is skin deep. But how rich you are can last a long time." --Christine, age 9 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message