Jeff Morriss wrote:
tcpdump and commercial sniffer products probably need root access and
are reading from the network, but I'm not sure tcpdump counts as "big"
It's not as big as Wireshark, but it *has* had its own problems with
code vulnerable to malicious packets.
It will, before opening a capture file to read, and after opening a
capture device on which to do a live capture, drop privileges to run
with the real user and group ID.
and I know nothing of commercial sniffers.
Most of 'em run on Windows, and thus come with a driver of some sort to
support capturing; I suspect they arrange that either anybody,
administrators, or the user who installed the sniffer can open the
device, so it runs as the user.
One that used to run on a UN*X was EtherPeek for OS X; according to the
manual I have, when you started it, it popped up a dialog with a list of
adapters, and required you to click an "unlock" button to capture on the
selected adapter. That opened a dialog asking for an administrator's
password. I *suspect* that caused it to run a program or script as
root; if so, it might have changed the BPF devices to be accessible by
the user.