[BlackHorseman]

Hi,

Well, this is a general question: I've read that, though Wireshark is considered to be maybe the best packet sniffer out there, it used to have some serious security holes. Ones that could be utilized by hackers to gain control of your machine.

Two questions before I start using it:

1) Is this still the case?
2) If I install it, will the security breaches supposedly introduced by Wireshark be present in my system even when I don't run it?

Thanks,
Daniel.

[TOGG]

According to the release notes 1.2.2 fixed three issues; http://www.wireshark.org/security/wnpa-sec-2009-06.html

[wgman21]

WTH is a packet sniffer?

[TOGG]

Software to 'sniff' (or check or test) the content of packets of data passing over a network I think (I didn't check Wikipedia, so that could be completely wrong!).

I only knew about Wireshark because I visit the Internet Storm Center at a site called SANS.org, which is maintained by and for network admins and most of it goes over my head. However, it does occasionally have info of interest to a general home user like myself (such as early warning of the next major exploit).

Here's the Wireshark story as it appeared at Sans org; http://isc.sans.org/diary.html?storyid=7132

[BlackHorseman]

As I understand it, all information transferred through the Internet is packed in packets. What Wireshark (and any other packet sniffer) does is read and analyze those packages, without stopping them from reaching their destination. However, in order to do that it requires access to sensitive OS areas, which means that if it has security vulnerabilities/holes, they could be used to do some damage to your system.

TOGG - yeah, I've read the R-notes. But it discusses some specific fixes they've made, doesn't really tell you how secure (or not) it is now.

[lotuseclat79]

Hi BlackHorseman,

Here's a Security excerpt from Wireshark:

Quote:

One possible alternative is to run tcpdump, or the dumpcap utility that comes with Wireshark, with superuser privileges to capture packets into a file, and later analyze these packets by running Wireshark with restricted privileges on the packet capture dump file. On wireless networks, it is possible to use the Aircrack wireless security tools to capture IEEE 802.11 frames and read the resulting dump files with Wireshark.

As of Wireshark 0.99.7, Wireshark and tshark run dumpcap to do traffic capture. On platforms where special privileges are needed to capture traffic, only dumpcap needs to be set up to run with those special privileges - neither Wireshark nor tshark need to run with special privileges, and neither of them should be run with special privileges.

As an aside, I would only run Wireshark as advised above, and then only to inspect an internal network. The latest stable version is 1.2.3 / 2009-10-27.

-- Tom