Yahoogroups and Carnivore
Bill McGonigle
mcgonigle at medicalmedia.com
Mon Sep 17 22:55:27 UTC 2001
On Monday, September 17, 2001, at 05:46 PM, Benny Fischer wrote:
> -In the FAQ they claim there is no IP stack .. so how can it have ip
> based
> filters to let in traffic .. or is this all done with custom software?
>
If they're just capturing raw ethernet, they can disassemble the packets
themselves without exposing the machine to "everything-over-IP"
vulnerabilities. Surprisingly good design.
Still, I can't see how they can do all the analysis with
"post-processing". There's just too much data on a big ISP's net. Does
it write to a monstrous tape library? I'd think they'd at least want to
do packet reassembly and sequencing in memory, then some filtering, for
ease of analysis. That would mean in-line software, which could, of
course, be brought down with just the right malformed TCP packet
sequence. Unless they have much better-than-average programmers at the
FBI. Of course if they're doing any filtering at that level, they'll
miss steganographic TCP sequence numbers, etc. (if someone's invented
that...)
-Bill
More information about the NANOG
mailing list