So I've been working on a site that accepts credit card payments. I'm being super paranoid about security and want to make absolutely certain that all communications with the payment gateway are encrypted so I'm installing TCPDUMP so I can sniff the packets and make sure they're all encrypted.

I'm running Debian Sarge and tried this:

server:/# apt-get install tcpdump
Reading Package Lists... Done
Building Dependency Tree... Done
The following extra packages will be installed:
 libc6 libc6-dev libpcap0.8 libssl0.9.8 locales tzdata
Suggested packages:
 glibc-doc
The following packages will be REMOVED:
 base-config initrd-tools kernel-image-2.6.8-2-386
The following NEW packages will be installed:
 libssl0.9.8 tcpdump tzdata
The following packages will be upgraded:
 libc6 libc6-dev libpcap0.8 locales
4 upgraded, 3 newly installed, 3 to remove and 294 not upgraded.
Need to get 14.9MB of archives.
After unpacking 34.3MB disk space will be freed.
Do you want to continue? [Y/n]

This says the kernel will be removed which makes me nervous. uname-r tells me that it's the current kernel too:

server:/# uname -r
2.6.8-2-386

Does that sound normal? Remember that this server is going to be doing monetary transactions. If I install tcpdump does that introduce any vulnerabilities? Can I uninstall it? What about promiscuous mode? Is that always on? If I uninstall is everything 'back to normal' or will my server be forever a promiscuous network slut?

    Tcpdump isn't a service, it's just a program - you run it, you ctrl-c it, it's done. It shouldn't be a security issue if you install it, because it doesn't run as a service (or open a port, as far as I can tell.) Perhaps install it on a test-bed to familiarize yourself with it and work out your jitters, then you'll be okay to install it on the production server? 🙂

    Edit: I run centOS so I'm not familiar with apt-get, but you should be able to do "apt-get remove tcpdump" after you're finished with it.

      Interesting... he's right about the modification to glibc, though, I suppose. Maybe you could install a packet sniffer that's not gonna change that? Or install an older version of tcpdump?

        I updated my sources.list and got it installed. hoorah!

          Write a Reply...