Wireshark-dev: Re: [Wireshark-dev] [Fwd: [Wireshark-bugs] [Bug 1741] New: Privilege separation
From: Guy Harris <[email protected]>
Date: Thu, 16 Aug 2007 09:47:04 -0700
Jeff Morriss wrote:

tcpdump and commercial sniffer products probably need root access and are reading from the network, but I'm not sure tcpdump counts as "big"
It's not as big as Wireshark, but it *has* had its own problems with 
code vulnerable to malicious packets.
It will, before opening a capture file to read, and after opening a 
capture device on which to do a live capture, drop privileges to run 
with the real user and group ID.
and I know nothing of commercial sniffers.
Most of 'em run on Windows, and thus come with a driver of some sort to 
support capturing; I suspect they arrange that either anybody, 
administrators, or the user who installed the sniffer can open the 
device, so it runs as the user.
One that used to run on a UN*X was EtherPeek for OS X; according to the 
manual I have, when you started it, it popped up a dialog with a list of 
adapters, and required you to click an "unlock" button to capture on the 
selected adapter.  That opened a dialog asking for an administrator's 
password.  I *suspect* that caused it to run a program or script as 
root; if so, it might have changed the BPF devices to be accessible by 
the user.