["John McDermott" <jjm@xxxxxxxxxx>]

>> We have a few options here:
>> a) Do privsep where relevant (e.g. on systems that require root perms to
>>   capture data).

This might be good if it really ends up helping.

>> b) Identify which type of errors allow exploits, which coding errors led
>>   to them and do a code audit as well as provide some infrastructure in
>>   order to prevent them in the future (like tvbuff).

This really *should* be done, even though it is a pain in the fingers.

>> c) Work with generators and migrate all dissectors to some specification
>>   language.

This will, as noted, take years to migrate to, but will likely generate
slower dissectors.  Also, the code to do the interpretation (if we use
interpreted code to do the dissection) will need auditing.  Even if we do
C generation, the generator will need auditing (as it would if we
interpret). This sounds to me like a lot of work unless we use a well
trusted generator that generates C (or assembler...).  I do not know of
one, but that does not mean one does not exist. I do know that many of us
have looked for such a beast.

>> d) Provide dissectors with a flag that gives a default state (enabled/
>>   disabled) in case the config file doesn't have anything different to
>>   say. Disable most dissectors by default and review those that are
>>   enabled by default.

This might contribute to a bit of a speedup, too, if done cleverly.

>
> I very frequently run Ethereal as 'root' (because I need to capture
> things) but often do it in a hurry to check something out.  Or, I need
> to do it and "update in real time" while I wait for a particular message
> to show up or problem to occur or whatever...

I excluslively run Ethereal in "update in real time" mode.  I do not
recall ever capturing, then viewing.

--john