This wiki has been migrated to and is now deprecated. Please use that site instead.


This page should collect information about security topics.


In most programs, only parts of a program are directly working with "outside" data (from a file or network), so to avoid security problems, the developer's are doing code reviews about that parts which (hopefully) will eliminate most security problems.

Ethereal is a bit different here, as almost the complete code will work with data from the "outside" (being it live captured or loaded from a file) making a code review on the relevant parts would be a code review of the complete Ethereal code which would be a huge effort, and not all problems might be found after all. This is making Ethereal more vulnerable to attacks than most other programs.

Ethereal is implemented in ANSI C which is vulnerable to security problems like buffer overflows (compared to more secure designed languages like JAVA or C#). ANSI C is used for several reasons, the main reason is perfomance, as Ethereal is often used to work with huge amounts of data.

A further security problem is that the Ethereal development process includes patches from many different developers (with different levels of programming skills) all around the world, and only a few developers doing the job of reviewing the patches before they are checked in the main source tree.

Conclusion: The current development model won't change for several reasons, so if there are concerns about the mentioned security problems, different approaches avoiding the drawbacks of these problems should be taken.

The best way might be to run Ethereal in a user account which can't do any real harm. As on some platforms live capturing from the network needs administration privileges, additional steps have to be taken, just see below.


The WinPcap (NPF) driver is loaded by Ethereal when it starts to capture live data.

This loading requires administrator privileges. Once the driver is loaded, every local user can capture from it until it's stopped again.

To be secure (at least in a way), it is recommended that the administrator should always running in a user account, and only start processes that really need the administrator privileges.

So using Ethereal running in a user account could look like:

Start the NPF driver:

runas /u:administrator "net start npf"

Start Ethereal and work with it, including capturing, until the specific job is finished.

Stop the NPF driver again:

runas /u:administrator "net stop npf"

This way, it's a lot more secure than running with the administrator account. However, while doing this, any local user can also capture from the network. This might not be desireable, but this can't be currently circumvented. Please note that this is not a limitation of the Ethereal implementation, but of the underlying WinPcap driver.