[Guy Harris <guy@xxxxxxxxxxxx>]

On Dec 2, 2003, at 1:46 AM, Nosnos wrote:

> - Is it possible to launch and start capture in user mode ?

That depends on the OS you're using.

To quote the current CVS tcpdump man page's section on what privileges 
are required in order to capture packets:

       Reading packets from a network interface may require that you 
have spe-
       cial privileges:

       Under SunOS 3.x or 4.x with NIT or BPF:
              You must have read access to /dev/nit or /dev/bpf*.

       Under Solaris with DLPI:
              You must have read/write access to the  network  pseudo  
device,
              e.g.   /dev/le.   On at least some versions of Solaris, 
however,
              this is not sufficient to allow tcpdump to capture in  
promiscu-
              ous  mode;  on  those  versions of Solaris, you must be 
root, or
              tcpdump must be installed setuid to root, in order to 
capture in
              promiscuous  mode.  Note that, on many (perhaps all) 
interfaces,
              if you don't capture in promiscuous mode, you will not  
see  any
              outgoing  packets, so a capture not done in promiscuous 
mode may
              not be very useful.

       Under HP-UX with DLPI:
              You must be root or tcpdump must be installed setuid to 
root.

       Under IRIX with snoop:
              You must be root or tcpdump must be installed setuid to 
root.

       Under Linux:
              You must be root or tcpdump must be  installed  setuid  
to  root
              (unless  your distribution has a kernel that supports 
capability
              bits such as CAP_NET_RAW and code to allow those 
capability bits
              to be given to particular accounts and to cause those 
bits to be
              set on a user's initial processes when they  log  in,  in 
 which
              case  you   must  have  CAP_NET_RAW  in  order  to  
capture  and
              CAP_NET_ADMIN to enumerate network devices  with,  for  
example,
              the -D flag).

       Under ULTRIX and Digital UNIX/Tru64 UNIX:
              Any  user may capture network traffic with tcpdump.  
However, no
              user (not even the super-user) can capture in  
promiscuous  mode
              on  an  interface unless the super-user has enabled 
promiscuous-
              mode operation on that interface using pfconfig(8), and 
no  user
              (not  even  the super-user) can capture unicast traffic 
received
              by or sent by the machine on an interface unless the  
super-user
              has  enabled  copy-all-mode  operation  on  that 
interface using
              pfconfig, so useful packet  capture  on  an  interface  
probably
              requires  that  either  promiscuous-mode or copy-all-mode 
opera-
              tion, or both modes of operation, be enabled on that  
interface.

       Under BSD (this includes Mac OS X):
              You  must  have  read access to /dev/bpf*.  On BSDs with 
a devfs
              (this includes Mac OS X), this might involve more than 
just hav-
              ing  somebody  with  super-user  access setting the 
ownership or
              permissions on the BPF devices - it  might  involve  
configuring
              devfs  to set the ownership or permissions every time the 
system
              is booted, if the system even supports that; if it 
doesn't  sup-
              port  that,  you  might have to find some other way to 
make that
              happen at boot time.

>  tethereal could not acces to eth0

Then you're probably running on Linux, in which case you need to be 
root, unless there's some way to get Ethereal or Tethereal to run with 
the CAP_NET_RAW capability bit (I don't know how to arrange that it run 
with that bit set).

> - can we specify our preferences files instead of the .preference with 
> is on $HOME ?

The "preference" file in $HOME/.ethereal *IS* your preference file.  
There is no way to have Ethereal look elsewhere for a user preference 
file (it's not as if you could have your preference file specify where 
the preference file is :-)).

You can have a "global" preference file in the directory in which 
Ethereal's configuration files are stored (which is probably 
"/usr/share/ethereal" if Ethereal is in "/usr/bin" and 
"/usr/local/share/ethereal" if Ethereal is in "/usr/local/bin"), which 
applies to *all* users; your personal preference file will override 
settings in the global preference file, which will override the 
defaults.

> PS : Is protocol like pop, nntp, ftp will support the desegment 
> function soonly ?

Only if somebody contributes code soon to support them.  I don't know 
whether anybody's working on that.