Jeff Morriss wrote: > tcpdump and commercial sniffer products probably need root access and > are reading from the network, but I'm not sure tcpdump counts as "big"
It's not as big as Wireshark, but it *has* had its own problems with code vulnerable to malicious packets. It will, before opening a capture file to read, and after opening a capture device on which to do a live capture, drop privileges to run with the real user and group ID. > and I know nothing of commercial sniffers. Most of 'em run on Windows, and thus come with a driver of some sort to support capturing; I suspect they arrange that either anybody, administrators, or the user who installed the sniffer can open the device, so it runs as the user. One that used to run on a UN*X was EtherPeek for OS X; according to the manual I have, when you started it, it popped up a dialog with a list of adapters, and required you to click an "unlock" button to capture on the selected adapter. That opened a dialog asking for an administrator's password. I *suspect* that caused it to run a program or script as root; if so, it might have changed the BPF devices to be accessible by the user. _______________________________________________ Wireshark-dev mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-dev
