| |
|
Reviwed the tech notes.
Cursory analysis:
Due to the notes made pertaining to RADIUS, I have to assume Carnivore integrates in a very tight manner with whatever SMTP/POP3 platform it's listening to. It makes no mention of IMAP, but talks a bit about POP3. That means it tracks the way in which mail is being received at the end-user level - NOT just the flow of mail between SMTP servers. It would appear that Carnivore tracks who authenticates to send or receive mail and when they do it(it makes mention to catching RADIUS data - RADIUS is an authentication standard). It would also appear that Carnivore isn't a sniffer, but rather a parser. I believe a piece of software referred to in the technotes as "Packeteer" will wholly capture all data passed through a given interface (perhaps with a minimum of low-level sorting so as to avoid overloading Carnivore), and refers the 'catches' to Carnivore, which will in turn check the data received for relevence and record or discard depending. There's no need for an interface (that is, an 'orifice' by which a network device can speak with other network devices), in this case, to be in promiscuous mode (a mode wherein, for lack of better terminology, an interface listens to traffic that's not stricly it's business), as it would appear that a given Carnivore platform will either a) interface directly with a provider's SMTP setup, b) sniff off of the broadcast media for the array of SMTP servers in a given location (throw an Ethernet interface into promiscuous mode and start 'fishing'), or c) sit 'transparently' on the line, wholly forwarding (after intercepting) all traffic in one interface and out the other. So far, I think 'a' and 'c' are the most likely - probably 'c', but it's hard to tell. The document makes no mentions as to weather or not the PII 300Mhz used in the 2k trials was setup with two NICs (this would give us more data as to weather or not we're looking at 'a' or 'c'). It also gives no indications as to the nuts-and-bolts of Packeteer, which I believe is the key to this whole thing. It's not my impression that these Carnivore boxes are designed to set on Internet nodes (they don't have the crunching power to filter through mass amounts of traffic) - but rather sift through traffic that's already being routed to a segment containing an SMTP server. All assumptions.
The basic, non-babblish meaning of all this is, Carnivore (or rather, Packeteer) is capable of hearing all traffic bound to or from an SMTP server on the same segment as the Carnivore box (assuming we're looking at the segment-based promiscuous sniffer setup). Packeteer probably handles some very low-level (as in, close to machine/assembly) parsing and hands off a lot of unfiltered results to a higher-level application. That higher-level application is currently Carnivore, but could be a number of things. Back to the RADIUS thing - I'm guessing Carnivore talks RADIUS so they can determine who's authenticating to send what mail over what account. SMTP is a flexible thing. Mail can be 'from' or 'to' just about anywhere. In order to ensure you can put 'faces to names' (so to speak), it's necessary to know who's authenticating to send the mail - not just what the 'from' line says. I hope that makes sense. I don't always provide the most coherent explanations. If there are any other geeks out there, please feel free to correct me if I appear to have gotten any of this wrong.
I'm getting sloppy here, but I thought it might help to give an idea. |
|
|
