On Wed, 15 Jun 2011 21:00:16 +0200 Leen Besselink wrote: > tcpdump on OpenBSD kind of does this, they have 2 processes and use > privilege separation. > > So the process doing the parsing is a chroot'ed and running as nobody or > something similair. _tcpdump, safer to have it's own user. And yet the OpenBSD devs and many others still recommend not to run it in parse mode (not using -w = a default snaplen of 96) live on production boxes/firewalls.