Date: Wed, 3 Feb 1999 10:49:29 +1100 From: Peter Jeremy <peter.jeremy@auss2.alcatel.com.au> To: jwyatt@RWSystems.net Cc: security@FreeBSD.ORG Subject: Re: tcpdump Message-ID: <99Feb3.103940est.40334@border.alcanet.com.au>
next in thread | raw e-mail | index | archive | help
James Wyatt <jwyatt@RWSystems.net> wrote: >Don't make more BPFs than you need (usually 1) If you use multiple network interfaces (including ppp/lpip), having a second BPF can be useful when you're trying to resolve routing problems. If you're using DHCP, you'll need a spare BPF for dhcpd. > and leave tcpdump running >to lock it. If someone gets in and gets rootly, they can use it to sniff This doesn't buy you anything: 1) Anyone with root access can kill your tcpdump to grab the BPF (or just run ktrace on it to grab the output without alerting you). 2) Anyone with physical access to your network can achieve the same thing with sniffer software on a laptop. Running tcpdump (especially in promiscuous mode) can substantially increase the load on your system. You _don't_ want to do this if your machine is on a heavily loaded network. I've seen suggestions (I can't recall where) that you might as well "chmod 666 /dev/bpf*" to more accurately reflect the difficulty of network snooping (although I think this is going too far). Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?99Feb3.103940est.40334>