Hi all,
First: massive thanks to Ulf for all the work he's been doing on
privilege separation. It's definitely a really important feature that's
been missing for ever.
Ulf Lamping wrote:
> Just as Wireshark is doing it already for some time, tshark now also use
> dumpcap to capture stuff (to seperate the "potential dangerous"
> dissection from the "root required" capturing). tshark calls dumpcap
> with a set of command line options (capture interface, capture file
> name, ...) and establishes a pipe to dumpcap. Now dumpcap captures
> packets into a temporary file, a named file or some ringbuffer files and
> notices tshark events through a pipe, e.g. a new file was opened, some
> packets rushed in, ...
Ok, first question: when being used by {wire,t}shark, is a temporary
file really the best way for dumpcap to write its captured data? The
unix way to do this would be to write it down a separarate pipe (so
wireshark/tshark would run dumpcap with a magic option saying "write
your captured data to fd X); however I don't know enough about windows
to know how portable that would be. A temporary file works fine anyway,
I guess.
> Now the two problems in the buildbot test are:
>
> a) dumping to stdout (using -w -)
> Dumping to stdout will mix up with the pipe (standard-)output, so this
> cannot work as before. BTW: Wireshark cannot capture to stdout for the
> same reason (or am I missinformed here?).
I don't understand this at all. If I want to use tshark to capture and
write to stdout, why shouldn't I? Surely that doesn't interfere with the
pipe between tshark and dumpcap?
> Solution: to dump to stdout, use dumpcap - it's build for that purpose.
Well, ish - though as you notice below, it doesn't support read filters
(nor should it). If I want to perform a capture, with read filtering, to
stdout, then tshark should be able to do this for me.
> Document that dumping to stdout doesn't work with tshark / Wireshark and
> prevent "-w -" command line option.
This would be a shame.
> b) read filter
> dumpcap doesn't know anything about display filter syntax -
> ...
>
> Solution: Drop read filters completely, they don't really fit in the
> concept of privilege seperation. Document the change and prevent the
> according command line option(s).
Yes they do: tshark does the read-filtering in as the ordinary user, and
dumpcap does the capturing as root.
> Please note: I'm not argueing against the usefullness of both options,
> but they don't fit into the idea of privilege seperation and the current
> implementation of it. So I don't see a good way to "re-"implement them ...
Perhaps I'm missing something important here - but I don't understand
what the problem is.
Regards,
Richard
_______________________________________________
Wireshark-dev mailing list
[email protected]
http://www.wireshark.org/mailman/listinfo/wireshark-dev
