When my security group rejected offering wireshark within my company they stated the following issues: 1. Denial of service issues This is version 1.8.6 Any thoughts as to how convince my security group to allow us access to wire asked 18 Jun '13, 08:30 Rich_Warren |
3 Answers:
Wireshark is vulnerable to crashing from either mal-formed packets (whether malicious or not), or even well-formed packets due to bugs in the Wireshark code. But the only service that would be denied would be Wireshark itself, and then only on that 1 computer/device doing the capturing. Denial of service? I suppose. Look, there's risk involved with using just about any tool, but you have to weigh the benefits of using that tool vs. the risks involved with doing so. Do you realize that using a chainsaw to cut down a tree can be quite dangerous? I think it would be far safer to cut it down with a butter knife, don't you? To me, there's no question that the rewards greatly outweigh the risks ... in both cases. The alternatives are just not practical. Good luck. P.S. See also: http://wiki.wireshark.org/Security answered 18 Jun '13, 10:25 cmaynard ♦♦ edited 18 Jun '13, 10:29 |
Wireshark is a passive network analysis tool. It will not send any data into the network (except some DNS queries if you enabled name resolution). So there is no way how Wireshark could be involved in any denial of service issue. I'm sorry to say that, but your security group has either no idea how Wireshark works or no idea how a denial of service attack works. In either case they should either give more information about their concerns (what kind of denial of service are they talking) or allow you to use Wireshark, if you have a legitimate use for Wireshark ;-) Regards answered 18 Jun '13, 10:27 Kurt Knochner ♦ edited 18 Jun '13, 10:29 |
I think the best approach here is to ask them why they view it as a potential DOS concern. Really we're just speculating on what their reason is for that assessment and coming up with a counter to straw man arguments at this point without more details on their reasoning. For a security group viewpoint, I'd be more worried about potential for reconnaissance, leading to some other form of attack, which Wireshark can definitely help with. Unless they're talking about the potential for DNS PTR query flooding, which is configurable, I don't see other potential here for Wireshark-based DOS. answered 18 Jun '13, 21:04 Quadratic |