<HTML> <HEAD> <TITLE>The KSnuffle Manual: Caveats</TITLE> </HEAD> <BODY TEXT="#000000" BGCOLOR="#FFFFFF" LINK="#AA0000"> <FONT FACE="Helvetica"> <A HREF="http://www.kde.org/"><IMG SRC="logotp3.gif" ALT="The K Desktop Environment" BORDER=0 ></A> <BR> <HR noshade> <DIV ALIGN=right> <A HREF="index-8.html">Next</A> <A HREF="index-6.html">Previous</A> <A HREF="index.html#toc7">Table of Contents</A> </DIV> <BR> <H3> 7. Caveats </H3> <H3> <A NAME="sec7.1"></A>7.1 Implementation Caveats </H3> <P> Please note the following points. <UL> <LI> KSnuffle is based on <I>libpcap-0.4</I>, as used in, for example, the <I>tcpdump</I> utility. Since I only have access to Linux machines, I only have <I>libpcap</I> for Linux. If you wish to run KSnuffle on a system other than Linux, you will need to get hold of a suitable version of <I>libpcap</I> and rebuild the program. </LI> <LI> KSnuffle bypasses the defined <I>libpcap</I> API. Specifically, it may construct multiple filter programs for a single packet capture instance, and applies these directly to captured packets; the <I>libpcap</I> packet capture loop actually runs with a null filter program which accepts all packets. So far as I can tell, this works correctly for Linux, but I cannot test other systems. </LI> <LI> Since I only have access to x86 machines, I cannot test KSnuffle on big-endian machines. </LI> <LI> Some of the KSnuffle code is Lunux dependant (eg., it uses <I>/proc/net/arp</I> to obtain mappings between MAC and IP addresses). Your milage may vary under other Unix's. </LI> <LI> The protocol decoding in this version assumes that it is handling correct packets. Hence, it would be possible to crash KSnuffle by sending it, for instance, a suitably crafted DNS datagram. However, so far as I am aware, it is not susceptible to buffer overflow attacks. </LI> </UL> </P> <H3> <A NAME="sec7.2"></A>7.2 Setuid and Root Execution </H3> <P> If KSnuffle is installed normally, it will execute as whoever invokes it. If the user is not root, then it will not be able to access network interfaces. Under these circumstances, only log file replay and remote sniffing is permitted. </P> <P> If KSnuffle is set to be setuid-root, then selected non-root users will be able to use the program; when KSnuffle is run by root, then the <A HREF="index-4.11.html">User Setup</A> page can be used to control this. </P> <P> As if KDE 2.1 (at least, as of the CVS code from mid-January 2001), the KDE libraries will detect programs that appear to be running setuid-root, and will terminate them. KSnuffle contains code to work around this restriction. However, the author accepts no responsibility for any consequences of running KNsuffle in this way. </P> <P> If you do wish to use KSnuffle to sniff local network interfaces, but are not prepared either to (a) make KSnuffle setuid-root nor (b) to run it as root, then equivalent functionality can be provided by installing the remote sniffer daemon <A HREF="index-2.html#ss2.5">rsnuffle</A>. However, under such circumstances, do not sniff the loopback device! </P> <P> <A HREF="index-8.html">Next</A> <A HREF="index-6.html">Previous</A> <A HREF="index.html#toc6">Table of Contents</A> </P> <P> <HR size="3" noshade> </P> </BODY> </HTML>