The server where Wireshark is running has two network interfaces with two networks. The «sniffed» network, and the «office» one, from where people connect to the server. I don´t want wireshark to be able to sniff the office network. How do I do that? asked 14 Sep '12, 08:15  ASantos |
One Answer:
You can't do that on Linux (that I know of). If you were using a BSD-derived OS then it would be possible as each interface has its own (file-based) permissions. answered 14 Sep '12, 12:29  JeffMorriss ♦ |
Thanks Jeff
Actually, there are no per-network interface files on *BSD or OS X I know of that would control access to interfaces. The BPF device files have permissions, but once you've opened a BPF device file, you could bind the BPF device to any network interface.
So that won't work on *BSD or OS X, either.
On Tru64 UNIX, you could set a per-interface flag indicating whether a given interface can be put in promicuous mode by non-privileged users, but that's the only per-interface privilege control I know of.
It would be interesting to see if AppArmor could be of service here. I'm not sure it offers the granularity required.