On Thu, 25 Oct 2001 hesselsp_at_ashaman.dhs.org wrote:
> I have had a request to put tcpdump on our firewall by one of our tech
> guys.
> I have told him that I will not do so, and he wants a good reason why.
a) tcpdump has had root exploits in the past, they will probably come back
up again:
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tcpdump
use the cve and bigtraq databases. they are your friends in such a time.
b) performance. tcpdump slows down packet processing, among other things,
and on a router/gateway thats a noticable hit.
suggestion: throw a switch in there and use the reflector port to monitor
stuff with a laptop. if you are worried about the laptop getting
compromised while sniffing use tcpdump at layer two. on (at least OpenBSD)
ifconfig ep1 up (note no address given) and start tcpdump -ni ep1 ....
works like a champ.
i hope this helps.
____________________________
jose nazario jose_at_cwru.edu
PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
PGP key ID 0xFD37F4E5 (pgp.mit.edu)
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_nfr.com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Received on Oct 26 2001
Intro
