It should be obvious that tapping into a network's traffic lets you see many things you shouldn't see. For example, the passwords typed by users of applications such as Telnet and FTP are transmitted across the network exactly as the user enters them. (This is called the cleartext representation of the password, in comparison to the encrypted representation. It is the encrypted representation that is stored in the Unix password file, normally /etc/passwd or /etc/shadow. ) Nevertheless, there are many times when a network administrator needs to use a tool such as tcpdump to diagnose network problems.
Our use of tcpdump is as a learning tool, to see what really gets transmitted across the network. Access to tcpdump, and similar vendor-supplied utilities, depends on the system. Under SunOS, for example, access to the NIT device is restricted to the superuser. The BSD Packet Filter uses a different technique: access is controlled by the permissions on the devices /dev/bpf XX . Normally these devices are readable and writable only by the owner (which should be the superuser) and readable by the group (often the system administration group ). This means normal users can't run programs such as tcpdump, unless the system administrator makes the program set-user-ID.