From owner-freebsd-security Tue Feb 2 15:49:46 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA28840 for freebsd-security-outgoing; Tue, 2 Feb 1999 15:49:46 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from alcanet.com.au (border.alcanet.com.au [203.62.196.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA28833 for ; Tue, 2 Feb 1999 15:49:44 -0800 (PST) (envelope-from peter.jeremy@auss2.alcatel.com.au) Received: by border.alcanet.com.au id <40334>; Wed, 3 Feb 1999 10:39:40 +1100 Date: Wed, 3 Feb 1999 10:49:29 +1100 From: Peter Jeremy Subject: Re: tcpdump To: jwyatt@RWSystems.net Cc: security@FreeBSD.ORG Message-Id: <99Feb3.103940est.40334@border.alcanet.com.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org James Wyatt wrote: >Don't make more BPFs than you need (usually 1) If you use multiple network interfaces (including ppp/lpip), having a second BPF can be useful when you're trying to resolve routing problems. If you're using DHCP, you'll need a spare BPF for dhcpd. > and leave tcpdump running >to lock it. If someone gets in and gets rootly, they can use it to sniff This doesn't buy you anything: 1) Anyone with root access can kill your tcpdump to grab the BPF (or just run ktrace on it to grab the output without alerting you). 2) Anyone with physical access to your network can achieve the same thing with sniffer software on a laptop. Running tcpdump (especially in promiscuous mode) can substantially increase the load on your system. You _don't_ want to do this if your machine is on a heavily loaded network. I've seen suggestions (I can't recall where) that you might as well "chmod 666 /dev/bpf*" to more accurately reflect the difficulty of network snooping (although I think this is going too far). Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message