Date: Wed, 21 Apr 1999 13:41:11 +091800 From: Greg Lehey <grog@lemis.com> To: "Paul T. Root" <proot@iaces.com> Cc: Christopher Michaels <ChrisMic@clientlogic.com>, freebsd-questions@FreeBSD.ORG Subject: Re: Sniffers and Sniffer detection [General UNIX question] Message-ID: <19990421134111.L53374@freebie.lemis.com> In-Reply-To: <199904201232.HAA02926@iaces.com>; from Paul T. Root on Tue, Apr 20, 1999 at 07:32:00AM -0500 References: <6C37EE640B78D2118D2F00A0C90FCB441A6090@site2s1> <199904201232.HAA02926@iaces.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday, 20 April 1999 at 7:32:00 -0500, Paul T. Root wrote: > In a previous message, Christopher Michaels said: >>> -----Original Message----- >>> From: Greg Lehey [SMTP:grog@lemis.com] >>> Sent: Sunday, April 18, 1999 4:41 AM >>> To: Eric S. Nooden; freebsd-questions@FreeBSD.ORG >>> Subject: Re: Sniffers and Sniffer detection [General UNIX question] >>> >> <snip> >> >>>> 2. Is it possible to install a sniffer, in a user account (with no root >>>> access), and sniff the network and watch for passwords? >>> >>> FreeBSD won't allow you to set promiscuous mode unless you're root. >>> >> <snip> >> >> This brought up a couple questions in my mind... >> >> 1. If the interface is already in promiscuous mode (I realize the >> implication of this), is it possible for a regular user to use a sniffer >> program? > > No, I tried it. > > However, the previous answer isn't entirely write. Promiscuous mode is > a factor of the permissions on the /dev/bpf? device. When I set bpf0 > to 660 root.wheel, and I'm in wheel, I was able to use tcpdump. When > I set it to 600 root.wheel I couldn't. Even when in another window root > was running tcpdump. Basically, these two statements contradict each other. In fact, I have now tried it, and yes, it *is* possible for a non-privileged user to use BPF if the device permissions are set correctly (666, for example). But this is not "promiscuous mode". The interface goes into promiscuous mode whenever BPF is active on it. This fact doesn't change anything for anybody who isn't currently using it. Greg -- When replying to this message, please copy the original recipients. For more information, see http://www.lemis.com/questions.html See complete headers for address, home page and phone numbers finger grog@lemis.com for PGP public key To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990421134111.L53374>