Ethereal-users: Re: [Ethereal-Users] sniffing theory

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Gerald Combs <gerald@xxxxxxxxxxxx>
Date: Sun, 7 Apr 2002 19:24:10 -0500 (CDT)
On Sun, 7 Apr 2002, Rick Farina wrote:

> I have a really odd question.  If I am using linux, and block ALL outgoing
> AND incoming traffic with iptables, can I still sniff?  I would assume not,
> but promisc does have some odd features.  If this would work, is there a
> disadvantage to this?

As a quick test I ran "iptables -A INPUT -j DROP" and "iptables -A OUTPUT
-j DROP" on a stock RH 7.2 machine (kernel version 2.4.9).  I was able to
capture without any problems.  However, I haven't found any documentation
that states that this is the case for all 2.4 kernels.

What are you trying to accomplish by blocking all traffic?  If you want to
sniff on an interface that's invisible to the local network, you might try
bringing your interface up without an IP address.  You should still be
able to see traffic without having to worry about iptables intercepting
anything.


> Thanks
> 
> -Rick Farina
> 
> 
> "a false sense of security, is worse than insecurity" -Steve Gibson
> 
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>