Re: Network Analyzer

Fri, 25 Nov 2005 15:23:32 -0800 

I would make the remote box run tethereal.
Use the http://www.linbsd.org/setuid_tethereal.patch
to run with the -u option for say user _ethereal.
Once the capture device is opened as root, the privs will be
dropped to the user specified.
Use tethereal with -z "proto,colinfo,$VAR,$VAR" for each $VAR you want appended to the default information on each packet line. 
A complete list can be found with tethereal -G.
Correct me if I am wrong, but I would imagine this would make it more secure, short of complete priv sep. 

Then what ever output can be parsed/stored without exploit concerns.
Even tethereal -T pdml could give you everything in xml and you could then
customize your parsing.

My 2 cents.

-Ober

---------- Forwarded message ----------
Date: Fri, 25 Nov 2005 13:56:39 -0700
From: Theo de Raadt <[EMAIL PROTECTED]>
To: Matthew Graham <[EMAIL PROTECTED]>
Cc: misc <[email protected]>
Subject: Re: Network Analyzer


One utility I'm used to using for monitoring is Ethereal. I've seen all
of the comments from the OpenBSD user community and understand why it's
no longer available through ports. Does anyone know of a similar tool
that will work well with OpenBSD and is also secure? I need more
information in human readably form that I can get from tcpdump or
sniffit.


It is super dangerous.  It went through a period of I think about 30
remote code running bugs in a few months, but bugs are always being
found.

It is very difficult to write 100% correct packet parsing code.  Errors
will be made.  And exactly where you cannot afford them.

For this reason, we audited tcpdump.  Then we realized that errors would
still be made, and we then privilege seperated it, so that the nasty
code runs in a jail.

The same approach could be taken by other projects towards their code,
but yes, it is a fairly difficult chunk of code to write.

In general we supply our user community with any tool they might want.
But ethereal was becoming something so often used, so often used poorly,
and so often used without any awareness as to how great the risk was.
We felt we had to do something, and thus we deleted it.

You can compile it up yourself.

Right now, though, it is amongst the most dangerous pieces of software
people are running.

It is your choice..

Reply via email to