From owner-freebsd-questions Tue Apr 20 21:13:48 1999 Delivered-To: freebsd-questions@freebsd.org Received: from allegro.lemis.com (allegro.lemis.com [192.109.197.134]) by hub.freebsd.org (Postfix) with ESMTP id A35B315127 for ; Tue, 20 Apr 1999 21:13:42 -0700 (PDT) (envelope-from grog@freebie.lemis.com) Received: from freebie.lemis.com (freebie.lemis.com [192.109.197.137]) by allegro.lemis.com (8.9.1/8.9.0) with ESMTP id NAA27953; Wed, 21 Apr 1999 13:41:13 +0930 (CST) Received: (from grog@localhost) by freebie.lemis.com (8.9.3/8.9.0) id NAA54362; Wed, 21 Apr 1999 13:41:11 +0930 (CST) Date: Wed, 21 Apr 1999 13:41:11 +091800 From: Greg Lehey To: "Paul T. Root" Cc: Christopher Michaels , freebsd-questions@FreeBSD.ORG Subject: Re: Sniffers and Sniffer detection [General UNIX question] Message-ID: <19990421134111.L53374@freebie.lemis.com> References: <6C37EE640B78D2118D2F00A0C90FCB441A6090@site2s1> <199904201232.HAA02926@iaces.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <199904201232.HAA02926@iaces.com>; from Paul T. Root on Tue, Apr 20, 1999 at 07:32:00AM -0500 WWW-Home-Page: http://www.lemis.com/~grog X-PGP-Fingerprint: 6B 7B C3 8C 61 CD 54 AF 13 24 52 F8 6D A4 95 EF Organization: LEMIS, PO Box 460, Echunga SA 5153, Australia Phone: +61-8-8388-8286 Fax: +61-8-8388-8725 Mobile: +61-41-739-7062 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tuesday, 20 April 1999 at 7:32:00 -0500, Paul T. Root wrote: > In a previous message, Christopher Michaels said: >>> -----Original Message----- >>> From: Greg Lehey [SMTP:grog@lemis.com] >>> Sent: Sunday, April 18, 1999 4:41 AM >>> To: Eric S. Nooden; freebsd-questions@FreeBSD.ORG >>> Subject: Re: Sniffers and Sniffer detection [General UNIX question] >>> >> >> >>>> 2. Is it possible to install a sniffer, in a user account (with no root >>>> access), and sniff the network and watch for passwords? >>> >>> FreeBSD won't allow you to set promiscuous mode unless you're root. >>> >> >> >> This brought up a couple questions in my mind... >> >> 1. If the interface is already in promiscuous mode (I realize the >> implication of this), is it possible for a regular user to use a sniffer >> program? > > No, I tried it. > > However, the previous answer isn't entirely write. Promiscuous mode is > a factor of the permissions on the /dev/bpf? device. When I set bpf0 > to 660 root.wheel, and I'm in wheel, I was able to use tcpdump. When > I set it to 600 root.wheel I couldn't. Even when in another window root > was running tcpdump. Basically, these two statements contradict each other. In fact, I have now tried it, and yes, it *is* possible for a non-privileged user to use BPF if the device permissions are set correctly (666, for example). But this is not "promiscuous mode". The interface goes into promiscuous mode whenever BPF is active on it. This fact doesn't change anything for anybody who isn't currently using it. Greg -- When replying to this message, please copy the original recipients. For more information, see http://www.lemis.com/questions.html See complete headers for address, home page and phone numbers finger grog@lemis.com for PGP public key To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message