Ethereal-dev: Re: [Ethereal-dev] Split the capture-child into it's own program?!?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Thu, 17 Nov 2005 02:01:25 -0800
Ulf Lamping wrote:

Hi List!
While looking at the current capture handling and the recent command line problems, I'm asking myself if it would be a good idea to split the capture-child into it's own (little) program. 

Yes.  I thought that was the intent, as per the discussion in

	http://wiki.ethereal.com/Development/PrivilegeSeparation
In addition, we do a lot of stuff for the capture-child we don't need to do (which takes time and memory): register the dissectors (and need memory for all of them), register plugins, and a lot more.
...such as dissecting packets, which is the source of most if not all of the security problems in Ethereal; if the capture child doesn't do that, and it's the only part that runs with elevated privileges on those UN*Xes that require elevated privileges for capturing, the dissectors at least can't get elevated privileges. 


I see some real advantages to have a separate capture-child application:
- a small stand-alone capture application without all the Ethereal dissection overhead, but with fine things like the ringbuffer feature
...and perhaps usable as a quick stand-alone capture program independently from Ethereal.
- don't need to init a lot of unrequired stuff (dissectors, plugins, ...) for a capture start
- elevated privileges only required in the smaller and easier-to-audit capture application
- main loop of Ethereal doesn't have to include waiting on the capture device, which is somewhat tricky (e.g., GTK+'s/GLib's main loop uses poll() on UN*X, but BPF devices aren't supported by poll() in Mac OS X 10.4[.x] - they're only supported by select(), and even that has the annoying problem found at least in older versions of other BSDs that require a timeout in the select). Pipes support select() and poll(); on Windows, you can *probably* do a WaitForMultipleEvents() to select on them (the GLib/GTK+ main loop uses WaitForMultipleEvents() or MsgWaitForMultipleEvents() on Windows).
- we might be able to drop the requirement of GTK completely for the capture child (when the capture info window isn't needed)
Do the capture window stuff in the main program, and have the capture child just send packet counts on a pipe (or shared memory?) to the main program. Note that GTK+ refuses to run set-UID (because you can crack set-UID GTK+ programs by getting it to load *your* code in theme engines, etc.). 


And some disadvantages:


	...


- probably security problems?
Actually, the simple capture child will probably have *fewer* security problems, as per the above.