Capturing without being root

It is sometimes necessary to capture the content of network traffic. Most people use a tool like wireshark or tcpdump to do that. Since these tools have the need to listen in promiscuous mode to the network interface, most people run them as root. Wireshark has had a lot of vulnerabilities in the code, which is unavoidable with the enormous amount of protocols being supported by reverse engineering. They have taken steps in the past to mitigate the impact of vulnerabilities by using a separate tool, dumpcap, which has a much smaller and simpler codebase.

Still, most people run wireshark as root, ‘because then it works’. Right, Gerald Combs has written an article on how to configure your system with capabilities so you don’t have to run wireshark as root any more. It works by granting users you want to be able to capture, the capability of being able to capture. That simple.

Gems documentation

When trying metric_fu, gem told me quite gently, though persistently, that it did not know about metric_fu. Blimey. You’ve got to look around the Intarnetz, but then you can find the stuff you need to get more than one repository.

So, what’s the trick?

gem sources

lists the sources that are already available.

gem sources -a

adds that source to the other sources. Jay! That’s what we needed,


I wanted to write about BotHunter for quite some time, but, alas, the holidays interfered.

BotHunter is basically a fully passive analyser based on the Snort tool. The text on their website says:

BotHunterTM is a novel, dialog-correlation-based engine (patent-pending), which recognizes the communication patterns of malware-infected computers within your network perimeter. BotHunterTM is a passive traffic monitoring system, which ties together the dialog trail of inbound intrusion alarms with those outbound communication patterns that are highly indicative of successful local host infection. When a sequence of in and outbound dialog warnings are found to match BotHunter’s infection dialog model, a consolidated report is produced to capture all of the relevant events and event sources that played a role during the infection process.

They presented a paper at the 16th USENIX Security Symposium. It’s well worth reading.

Technorati Tags: ,

VMWare Fusion in Pre-release

VMWare will release a Mac OSX version of VMWare which will enable MacOS to run Windows applications in parallell. Just what Parallels also does. It will be quite a test to see which of the two will be best. For now, VMWare will run the 64bit versions of Vista and XP as well.

But, I must say, I await the arrival of Linux on my mac most. I can’t wait.

The official release will be about $40, but you can also download a 30day trial.

Technorati Tags: