Ethereal-users: Re: [Ethereal-users] root process, preferences files

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 2 Dec 2003 14:18:31 -0800

On Dec 2, 2003, at 1:46 AM, Nosnos wrote:

- Is it possible to launch and start capture in user mode ?

That depends on the OS you're using.

To quote the current CVS tcpdump man page's section on what privileges are required in order to capture packets:

Reading packets from a network interface may require that you have spe-
       cial privileges:

       Under SunOS 3.x or 4.x with NIT or BPF:
              You must have read access to /dev/nit or /dev/bpf*.

       Under Solaris with DLPI:
You must have read/write access to the network pseudo device, e.g. /dev/le. On at least some versions of Solaris, however, this is not sufficient to allow tcpdump to capture in promiscu- ous mode; on those versions of Solaris, you must be root, or tcpdump must be installed setuid to root, in order to capture in promiscuous mode. Note that, on many (perhaps all) interfaces, if you don't capture in promiscuous mode, you will not see any outgoing packets, so a capture not done in promiscuous mode may
              not be very useful.

       Under HP-UX with DLPI:
You must be root or tcpdump must be installed setuid to root.

       Under IRIX with snoop:
You must be root or tcpdump must be installed setuid to root.

       Under Linux:
You must be root or tcpdump must be installed setuid to root (unless your distribution has a kernel that supports capability bits such as CAP_NET_RAW and code to allow those capability bits to be given to particular accounts and to cause those bits to be set on a user's initial processes when they log in, in which case you must have CAP_NET_RAW in order to capture and CAP_NET_ADMIN to enumerate network devices with, for example,
              the -D flag).

       Under ULTRIX and Digital UNIX/Tru64 UNIX:
Any user may capture network traffic with tcpdump. However, no user (not even the super-user) can capture in promiscuous mode on an interface unless the super-user has enabled promiscuous- mode operation on that interface using pfconfig(8), and no user (not even the super-user) can capture unicast traffic received by or sent by the machine on an interface unless the super-user has enabled copy-all-mode operation on that interface using pfconfig, so useful packet capture on an interface probably requires that either promiscuous-mode or copy-all-mode opera- tion, or both modes of operation, be enabled on that interface.

       Under BSD (this includes Mac OS X):
You must have read access to /dev/bpf*. On BSDs with a devfs (this includes Mac OS X), this might involve more than just hav- ing somebody with super-user access setting the ownership or permissions on the BPF devices - it might involve configuring devfs to set the ownership or permissions every time the system is booted, if the system even supports that; if it doesn't sup- port that, you might have to find some other way to make that
              happen at boot time.

 tethereal could not acces to eth0

Then you're probably running on Linux, in which case you need to be root, unless there's some way to get Ethereal or Tethereal to run with the CAP_NET_RAW capability bit (I don't know how to arrange that it run with that bit set).

- can we specify our preferences files instead of the .preference with is on $HOME ?

The "preference" file in $HOME/.ethereal *IS* your preference file. There is no way to have Ethereal look elsewhere for a user preference file (it's not as if you could have your preference file specify where the preference file is :-)).

You can have a "global" preference file in the directory in which Ethereal's configuration files are stored (which is probably "/usr/share/ethereal" if Ethereal is in "/usr/bin" and "/usr/local/share/ethereal" if Ethereal is in "/usr/local/bin"), which applies to *all* users; your personal preference file will override settings in the global preference file, which will override the defaults.

PS : Is protocol like pop, nntp, ftp will support the desegment function soonly ?

Only if somebody contributes code soon to support them. I don't know whether anybody's working on that.