From owner-freebsd-security Wed Dec 11 13:36:43 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id NAA11230 for security-outgoing; Wed, 11 Dec 1996 13:36:43 -0800 (PST) Received: from xmission.xmission.com (softweyr@xmission.xmission.com [198.60.22.2]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id NAA11225 for ; Wed, 11 Dec 1996 13:36:36 -0800 (PST) Received: (from softweyr@localhost) by xmission.xmission.com (8.8.4/8.7.5) id OAA15103; Wed, 11 Dec 1996 14:35:27 -0700 (MST) From: Softweyr LLC Message-Id: <199612112135.OAA15103@xmission.xmission.com> Subject: Re: Risk of having bpf0? To: msmith@atrad.adelaide.edu.au (Michael Smith) Date: Wed, 11 Dec 1996 14:35:26 -0700 (MST) Cc: security@freebsd.org In-Reply-To: <199612110634.RAA22676@genesis.atrad.adelaide.edu.au> from "Michael Smith" at Dec 11, 96 05:04:36 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Wes Peters stands accused of saying: % Better yet, get some sort of sniffer package to run on another system. % We use Ether Peek for Macintosh and Win95 at work, both seem to work % well. In addition to *not* opening up your important machines to hack % attacks, such a tool will also let you look at non-IP activity, bare % ethernet activity, and let you examine the output of a machine that % seems to be going sick in the ether adapter. Mike Smith answered: > Tcpdump does all this and lots more; the filter language is pretty powerful. > > The fact that it knows how to interpret lots of protocols and that you > can extend it (courtesy of the source and an easy internal interface) > puts it over anyuthing else I've seen yet. EtherPeek does all of those things, understands most of the common protocols run over ethernet inlcuding IP, IPX/SPX, AppleTalk, DECnet, and XNS; allows you to display packets from specified machines or protocols in different colors, will display machine names by ethernet, IP, DECnet, etc. address, all those wonderful things. EtherPeek costs money - I think it's $495. At the same time, you can put a machine containing EtherPeek on your network and nobody can hack their way into it over the network and use it against you, since it is running on MacOS or Win95. If you can lose more than $495 in an attack, it should be pretty easy to justify. We put it on laptops, which make wonderful diagnostic tools. ;^) -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.xmission.com/~softweyr softweyr@xmission.com