Re: Sniffer notification

[Cal Frye <cjf () CALFRYE COM>]

Doug Sandford wrote:
> So are you saying that the decision to begin the sniffer process was
> validated due to network load concerns rather than something else?
> I'm not saying that that is bad form, mind you.Any action is better
> than none at all.  I am however curious about the circumstances that
> have led organizations to bite the proverbial bullet and begin
> sniffing.

I'm not sure I follow the distinction you're making. I'm talking about a
very limited use of our Sniffer to tease out the exact sequence of
packets establishing and maintaining the conversation between the
student's client and our server -- a task no other tool can really do.

I'm not proposing an extended or routine practice of packet capturing on
an ongoing basis.
> Additionally, do any of you by policy differentiate between sniffing,
> monitoring and scanning? They are sometimes lumped in together often,
> I suspect, to justify any or all of these processes.

Our policies are pretty nebulous, mostly by design. Nonetheless, good
practice calls for "better behaviour" than our policies require.

Our students' understanding of our AUP (polling a few standing around
the department) expects us to routinely monitor, occasionally scan, and
sniff in emergencies only. I would guess more naive students (those not
likely to hang about the Computing Center) to not understand the
possibility of sniffing at all, hence my original question and
obligation to notify students explicitly before we sniff their traffic,
even when they originated the complaint leading us to that measure.


--Cal Frye, Network Administrator, Oberlin College
 www.ouuf.org, www.calfrye.com

  "Everything that's done by the government is done in your name. You
are responsible whether you like it or not."  -- Helen Thomas.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.