Home page logo
/

nanog logo nanog mailing list archives

Re: Yahoogroups and Carnivore
From: Bill McGonigle <mcgonigle () medicalmedia com>
Date: Mon, 17 Sep 2001 18:55:27 -0400



On Monday, September 17, 2001, at 05:46 PM, Benny Fischer wrote:

-In the FAQ they claim there is no IP stack .. so how can it have ip based
filters to let in traffic .. or is this all done with custom software?


If they're just capturing raw ethernet, they can disassemble the packets themselves without exposing the machine to "everything-over-IP" vulnerabilities. Surprisingly good design.

Still, I can't see how they can do all the analysis with "post-processing". There's just too much data on a big ISP's net. Does it write to a monstrous tape library? I'd think they'd at least want to do packet reassembly and sequencing in memory, then some filtering, for ease of analysis. That would mean in-line software, which could, of course, be brought down with just the right malformed TCP packet sequence. Unless they have much better-than-average programmers at the FBI. Of course if they're doing any filtering at that level, they'll miss steganographic TCP sequence numbers, etc. (if someone's invented that...)

-Bill


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]