7. Caveats
7.1 Implementation Caveats
Please note the following points.
-
KSnuffle is based on libpcap-0.4, as used in, for example,
the tcpdump utility. Since I only have access to Linux
machines, I only have libpcap for Linux. If you wish to run
KSnuffle on a system other than Linux, you will need to get hold
of a suitable version of libpcap and rebuild the program.
-
KSnuffle bypasses the defined libpcap API. Specifically,
it may construct multiple filter programs for a single packet
capture instance, and applies these directly to captured packets;
the libpcap packet capture loop actually runs with a null
filter program which accepts all packets. So far as I can tell,
this works correctly for Linux, but I cannot test other systems.
-
Since I only have access to x86 machines, I cannot test KSnuffle
on big-endian machines.
-
Some of the KSnuffle code is Lunux dependant (eg., it uses
/proc/net/arp to obtain mappings between MAC and IP
addresses). Your milage may vary under other Unix's.
-
The protocol decoding in this version assumes that it is
handling correct packets. Hence, it would be possible to crash
KSnuffle by sending it, for instance, a suitably crafted
DNS datagram. However, so far as I am aware, it is not
susceptible to buffer overflow attacks.
7.2 Setuid and Root Execution
If KSnuffle is installed normally, it will execute as whoever
invokes it. If the user is not root, then it will not be able to
access network interfaces. Under these circumstances, only log file
replay and remote sniffing is permitted.
If KSnuffle is set to be setuid-root, then selected non-root
users will be able to use the program; when KSnuffle is run
by root, then the User Setup page can
be used to control this.
As if KDE 2.1 (at least, as of the CVS code from mid-January 2001),
the KDE libraries will detect programs that appear to be running
setuid-root, and will terminate them. KSnuffle contains code
to work around this restriction. However, the author accepts no
responsibility for any consequences of running KNsuffle in this
way.
If you do wish to use KSnuffle to sniff local network interfaces, but
are not prepared either to (a) make KSnuffle setuid-root nor (b) to
run it as root, then equivalent functionality can be provided
by installing the remote sniffer daemon
rsnuffle. However, under such
circumstances, do not sniff the loopback device!
Next
Previous
Table of Contents