[42564] in North American Network Operators' Group
Re: Yahoogroups and Carnivore
daemon@ATHENA.MIT.EDU (Bill McGonigle)
Mon Sep 17 22:00:04 2001
Date: Mon, 17 Sep 2001 18:55:27 -0400
Content-Type: text/plain; charset=US-ASCII; format=flowed
Mime-Version: 1.0 (Apple Message framework v468)
Cc: nanog@merit.edu
To: "Benny Fischer" <benny@infinet-is.com>
From: Bill McGonigle <mcgonigle@medicalmedia.com>
In-Reply-To: <AMEAIPIDBCGBMOCLKMDOIEJDCHAA.benny@infinet-is.com>
Message-Id: <1626FCC4-ABBF-11D5-AF13-003065EAE3C0@medicalmedia.com>
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
On Monday, September 17, 2001, at 05:46 PM, Benny Fischer wrote:
> -In the FAQ they claim there is no IP stack .. so how can it have ip
> based
> filters to let in traffic .. or is this all done with custom software?
>
If they're just capturing raw ethernet, they can disassemble the packets
themselves without exposing the machine to "everything-over-IP"
vulnerabilities. Surprisingly good design.
Still, I can't see how they can do all the analysis with
"post-processing". There's just too much data on a big ISP's net. Does
it write to a monstrous tape library? I'd think they'd at least want to
do packet reassembly and sequencing in memory, then some filtering, for
ease of analysis. That would mean in-line software, which could, of
course, be brought down with just the right malformed TCP packet
sequence. Unless they have much better-than-average programmers at the
FBI. Of course if they're doing any filtering at that level, they'll
miss steganographic TCP sequence numbers, etc. (if someone's invented
that...)
-Bill
