Bug 11336 – add tcpdump to fab4

Bug 11336 - add tcpdump to fab4

Summary:

add tcpdump to fab4

Status:	RESOLVED WONTFIX

Product:	SB Touch
Classification:	Unclassified
Component:	OS
Version:	unspecified
Platform:	PC Other

Importance:	P5 normal (vote)
Target Milestone:	Future
Assigned To:	Felix Mueller

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2009-03-12 13:25 UTC by Blackketter Dean
Modified:	2019-01-25 10:35 UTC (History)
CC List:	2 users (show)

See Also:
Category:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Blackketter Dean 2009-03-12 13:25:32 UTC

Comment 1 Mickey Gee 2009-03-25 17:30:56 UTC

Target changed to MP per Richard.

Comment 2 Richard Titmuss 2009-04-02 02:11:01 UTC

So tcpdump seems big, felix said:

  # ls -l
  -rwxr-xr-x    1 root     root       696113 Jan  2 08:51 tcpdump

Plus libpcap, that is not currently installed.

We don't really need a fully functional tcpdump on the system, it only needs to be able to capture packets to a file for later analysis. Felix, can you give options to configure to remove all the dissector code?

We should configure or patch tcpdump to prevent promiscuous captures, it should only be able to capture the packets sent/received directly by fab4.

Finally, how is tcpdump used? I propose that on boot we look on removable media for a /pcap folder (or similar), and if that is found then tcpdump captures to a file in that folder, much like the logging. Felix, can you check with Dan if that's ok with support.

Comment 3 Felix Mueller 2009-04-02 03:01:37 UTC

For the first test, I linked tcpdump with libpcap.a statically which means the reported size of 696113 already includes libpcap.

Option -p can be used to run in non promiscuous mode.

Comment 4 Richard Titmuss 2009-04-02 04:06:36 UTC

Sorry I wasn't clear about promiscuous mode. We need to make sure that nobody can ever run in promiscuous mode, for security reasons. To prevent a malicious applet capturing network traffic using the installed tcpdump. So either a configuration option, or a patch, to remove the ability to run in promiscuous mode is required.

Comment 5 Blackketter Dean 2009-04-02 08:18:46 UTC

Hm, given that applets run as root without any real jail, I'm not sure disabling -p really offers any significant security help.  I suppose it couldn't hurt, but a separate audit is probably more important than implementing this limit.

Comment 6 Richard Titmuss 2009-04-02 08:21:24 UTC

Fair enough, we should patch the kernel to prevent this instead then.

Comment 7 Felix Mueller 2009-04-03 08:21:07 UTC

r5116 adds tcpdump (which in turn adds libpcap.so)

I was able to reduce the footprint a little bit (about 70k) by disabling smb. Trying to disable any of the other packets did not result in a reduction at all. I am not sure what I am doing wrong here.

TODO:
- kernel needs to be fixed to not allow promiscuous mode.
- add logic to start dumping packet to a file when SD card with special folder is found during startup

Comment 8 Richard Titmuss 2009-04-07 01:22:54 UTC

This is a nice to have for MP. tcpdump is in the firmware, so a capture could be made using a squeezeos-boot.sh script if needed. Punting to 7.4.

Comment 9 Felix Mueller 2009-09-24 02:51:24 UTC

Changing Target Milestone after talking to Richard.