On 2008-11-06, Can Erkin Acar <[EMAIL PROTECTED]> wrote: > Parsing raw network > data, even from a file, provides an opportunity to inject incredible > amounts of malicious input to the parser. That is also one reason we do > not have ethereal/wireshark in ports. The last time I looked, they had a > lot of parsers and an incredible amount of complex code tied to that > stream of malicious input.
wireshark now has support to run only the packet capture as a privileged user (by installing dumpcap setuid to a user with read access to /dev/bpf, typically root but can be another if you change permissions). the dissectors and UI are run as whichever user started it. unfortunately, they haven't gone as far as we did with tcpdump - wireshark's dissectors are run as the normal user starting it, not jailed in an unprivileged process. anyone considering running it should still take a lot of care...
