Wireshark · Ethereal-users: Re: [Ethereal-users] Installation of 0.9.0 under Solaris 2.8/gcc 3.0

Ethereal-users: Re: [Ethereal-users] Installation of 0.9.0 under Solaris 2.8/gcc 3.0

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxx>

Date: Fri, 18 Jan 2002 13:22:26 -0800 (PST)

> As this package is related to system/network administration and could be
> abused, it is installed so as to be executable only by root.

On Solaris, you can't capture packets promiscuously unless you're
running as root in any case - and you can't capture packets at all
unless the "/dev" entry for the network device type on which you'd be
capturing packets, e.g. "/dev/hme" or "/dev/ge", is readable and
writable by you, and it's normally readable and writable only by root:

	hostname$ uname -sr
	SunOS 5.8
	hostname$ ls -lL /dev/hme /dev/ge
	crw-------   1 root     sys       11, 51 Nov 13 13:28 /dev/ge
	crw-------   1 root     sys       11,  7 Nov 13 13:22 /dev/hme

I.e., even if it's publicly executable, all a user can do on Solaris is
read captures somebody's already gotten *and* made readable by that
user.

(By default, that's the case on most systems.  The current CVS, and 3.7
beta, version of the tcpdump man page gives details:

     Reading packets from a network interface  may  require  that
     you have special privileges:

     Under SunOS 3.x or 4.x with
          You must have read access to /dev/nit or /dev/bpf*.

     Under Solaris with DLPI:
          You must have read/write access to the  network  pseudo
          device,  e.g.   /dev/le.   On at least some versions of
          Solaris, however,  this  is  not  sufficient  to  allow
          tcpdump  to  capture in promiscuous mode; on those ver-
          sions of Solaris, you must be root, or tcpdump must  be
          installed  setuid to root, in order to capture in prom-
          iscuous mode.

     Under HP-UX with DLPI:
          You must be root or tcpdump must be installed setuid to
          root.

     Under IRIX with snoop:
          You must be root or tcpdump must be installed setuid to
          root.

     Under Linux:
          You must be root or tcpdump must be installed setuid to
          root.

     Under Ultrix and Digital UNIX:
          Once the super-user has enabled promiscuous-mode opera-
          tion  using  pfconfig(8),  any user may capture network
          traffic with tcpdump.

     Under BSD:
          You must have read access to /dev/bpf*.

     Reading  a  saved  packet  file  doesn't   require   special
     privileges.

The same rules apply to Ethereal and Tethereal, as they use the same
capture mechanism that tcpdump does.)

References:
- [Ethereal-users] Installation of 0.9.0 under Solaris 2.8/gcc 3.0
  - From: rodgers

Prev by Date: [Ethereal-users] Installation of 0.9.0 under Solaris 2.8/gcc 3.0
Next by Date: RE: [Ethereal-users] Bytes/sec in summary includes Ethernet header? Trailer?
Previous by thread: [Ethereal-users] Installation of 0.9.0 under Solaris 2.8/gcc 3.0
Next by thread: [Ethereal-users] Ethereal ERRORs
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$