On Sun, Feb 22, 2004 at 03:14:53PM -0800, Guy Harris wrote: > "pcap_set_datalink()" doesn't, at least on the BSDs, require root > privileges; the ioctl either isn't present (in which case you can't set > the data link type) or is unprivileged.
It can also, in current-CVS libpcap, be used to request that an Ethernet capture be given a link-layer type of DOCSIS, for use when capturing DOCSIS-forwarded-to-an-Ethernet from some Cisco cable modem equipment (they send DOCSIS frames inside low-level Ethernet framing). That requires no special privileges (the only difference it makes is that the link-layer type value in the pcap_t structure is changed). It's also supported for captures on Endace DAG cards when capturing on a serial link, to specify whether the packets should be assumed to have PPP or Cisco HDLC headers. That also just changes the link-layer type value in the pcap_t structure, and requires no special privileges. Currently, BSDs with the appropriate ioctls, and the Ethernet/DOCSIS stuff for all platforms and PPP/CHDLC stuff for DAG cards, are the only places where the link-layer type can be set. No other OS currently, as far as I know, directly supports a BSD-style "select the link-layer type" operation; I don't know whether any are planning on doing so. However, it's conceivable that, at some point, Linux *might* support forcing cooked-mode captures that way. Unfortunately, that requires closing the SOCK_RAW/PF_PACKET socket and opening a SOCK_DGRAM/PF_PACKET socket; that *would* require root privileges - but it would also run the risk that the new "socket()", etc. calls might fail, causing the call to fail in such a way that the "pcap_t" is no longer usable, rather than just failing in such a way that the link-layer type isn't changed. A scheme to allow a link-layer type to be chosen at open time (from a list of link-layer types presumably obtained through an earlier open, or perhaps from a future extended version of "pcap_findalldevs()") would fix those problems. > Given that "pcap_snapshot()" just returns "p->snapshot", which is set > from the argument supplied to "pcap_open_live()" and from the capture > file header by "pcap_open_offline()", I'm not sure why it'd be dangerous > with root or why it'd require root privileges. Actually, it's not necessarily the argument supplied to "pcap_open_live()", as if that was too small, libpcap might have increased it. It's still read-only, however. - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]
