Yeah. For the purposes of this discussion, I think that you could
split Ethereal use into two categories. One is debugging,
where you're playing with your own stuff -- often on a private
or semi-private network working to figure something out.
This is usually a cooperative environment where you've got
reasonable trust of the people you're getting the packets
from (often yourself).
The other is investigative use. This is in a security
context, where you're trying to take apart packets from
'hostile' machines. If these machines know (or suspect)
that you're using ethereal to figure out what they're
doing, they may try injecting packets with the sole intent
of interrupting your work (or worse yet, hijacking your
computer too).
I realize that this last scenario is unlikely -- but it's
like insurance and backups. You only really care about your
policy *after* the disaster hits.
I probably fit in both camps, depending on what I'm doing.
I have instances where I've used ethereal in 'snort-like'
monitoring setups, and others where I'm just trying to
read a web page 'the hard way' so I can snarf a video
off of a reticent IE-only site.
On one end of the spectrum you have the OpenBSD people who
are very anal (in a good way) about security. near the other
end you have Microsoft who still seems to consider security
to be more of a PR problem than a responsibility to their
customers.
I don't want to get in the way of ethereal's almost legendary
ability to add lots of dissectors either. On the other hand,
this produces problems for the people who may have more limited
interests, but are working in a more hostile environment where
getting trashed by a hacker is, at best, very embarrassing.
If we can find a way to meaningfully split ethereal into
'trusted' and 'quick N Dirty' modules, then it may be possible
to create a setup where there is a 'default-safe' environment
what won't have the BSD people worrying about what will happen
to the next (naive) user who ends up getting 'owned' using
an OpenBSD ethereal port (("It's from OpenBSD, it MUST be safe"))
At the same time, it would allow ethereal to get lots of very
useful dissectors that are completely adequate for 'casual'
use, and where -- if you're using them under hostile conditions,
you at least know that you're treading on questionable soil.
Anders Broman (AL/EAB) wrote:
Hi,
I would also think the usage of Ethereal differs quite a lot and therfore the focus of developers may differ
for me the abillity of Ethereal to dissect packets is far more interesting than the security issue as
I only do sniffing in private networks, of cource I'd like to write secure and bugfree code but to have a
reasonable OK dissector to be able to do my 'real' work is far more important to me.
This is one of the reasons why I like the Ethereal development model as new and intersting protocols and features gets added quickly.
Best regards
Anders Broman
--
Stephen Samuel +1(604)876-0426 samuel@xxxxxxxxxxx
http://www.bcgreen.com/~samuel/
Powerful committed communication. Transformation touching
the jewel within each person and bringing it to light.
