|
Firewall Wizards
mailing list archives
Re: tcpdump on my firewall
From: roel () SiliconDefense com
Date: Fri, 26 Oct 2001 16:44:57 -0700
Hello,
... tcpdump on our firewall ...
Unless you disable the promiscuous part of tcpdump/libpcap, the risk is rather
large, you're exposing user level apps to packets that are otherwise dropped,
before they get anywhere. Besides whenever an interface goes in promiscuous
mode the ip stack has to deal with all packets flying by (Aside from the ones
that it needs to process), this of course can have a considerable impact on
cpu load depending on the network. On top of that argument is that as soon
as you do anything with libpcap/tcpdump, that in itself will have a considerable
impact on the cpu, since it has to duplicate every packet...
Depending on your network, your users may come after you for lousy internet
performance because the fw bogged down to a snail's pace.
If you have to put tcpdump on your firewall, make sure it doesn't run as root.
(Unless you're on linux in that case you're stuck with running it as root, for
other OS'es I can provide you with some instruction on how to run it without
root priviledges.)
Good luck.
--
roel
Silicon Defense: Technical Support for Snort!
http://www.SiliconDefense.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
 By Date 
By Thread
Current thread:
- RE: Re: tcpdump on my firewall, (continued)
Re: tcpdump on my firewall Greg Poirier (Oct 26)
Re: [fw-wiz] tcpdump on my firewall Skip Frizzell (Oct 27)
Re: tcpdump on my firewall roel (Oct 27)
RE: tcpdump on my firewall Ames, Neil (Oct 26)
RE: tcpdump on my firewall J B (Oct 27)
Re: tcpdump on my firewall Matthew Jach (Oct 29)
Re: tcpdump on my firewall Brian Ford (Oct 31)
|
Intro
