Fidelis Cybersecurity
Fidelis Blog


Warn if a packet sniffer is running

The virtual “file” /proc/packet similarly contains information pulled out of the running kernel, but unlike /proc/version which doesn’t change between startup and shutdown, this one may change as sniffer programs start and stop.

In particular, this file has a single header line (starting with “sk”), and one line per program that needs the ability to send or receive raw network packets – and that usually means packet sniffers since most programs don’t deal with raw packets:

#cat /proc/net/packet
sk       RefCnt Type Proto  Iface R Rmem   User   Inode
ffff880127378000 3      3    0003   2     1 0      0      27450718

So what program on this system needs to work with raw packets?  It’s possible – though slightly annoying – to use that line to trace back to the original program, but in this case I already know this laptop is using a DHCP-assigned address, and the DHCP program needs to create raw packets.  We can check by looking for “dhcp” lines in the process list:

# ps axf | grep dhcp
19892 ?        S      0:00  _ /sbin/dhclient -d -4 -sf /usr/libexec/nm-dhcp-client.action -pf /var/run/ -lf /var/lib/dhclient/ -cf /var/run/nm-dhclient-eth0.conf eth0

Just to show that this does also detect sniffers, I’ll start up a copy of tcpdump in another window and look again:

# cat /proc/net/packet
sk       RefCnt Type Proto  Iface R Rmem   User   Inode
ffff880123cbe000 3      3    0003   2     1 0      0      32079181
ffff880127378000 3      3    0003   2     1 0      0      27450718

So we have a new line for a new sniffer (the second line of output ending in “181”), and here’s the offending copy of tcpdump:

# ps axf | egrep '(dhcp|tcpdump)'
19892 ?        S      0:00  _ /sbin/dhclient -d -4 -sf /usr/libexec/nm-dhcp-client.action -pf /var/run/ -lf /var/lib/dhclient/ -cf /var/run/nm-dhclient-eth0.conf eth0
20186 pts/8    S+     0:00          _ tcpdump -i eth0 -qtnp host

So how can we use this?  First, we don’t generally need to worry about dhcp clients; cloud servers tend to have fixed IP addresses, so that won’t normally be an issue.  That means we just need to look for any files that have two or more lines of output.  To do that, notice that the first line is all letters, and the second and further lines all have digits.  Hmmmmmmm.  🙂

Like above, create a new rule with a name like “Detect sniffers” and put in a new String Presence check:

/proc/net/packet Does not contain [0-9]

Could we get more specific than that?  Sure, we could track down the format of that file, identify exactly which part of the line identifies the action of sniffing from an ethernet cable, and make the check more specific.  It’s possible we might even be able to differentiate between the DHCP client and a traditional sniffer (although the two lines of output above are so alike that this is unlikely).  In the end, though, we don’t really gain much over the original check that looks for a digit in the file.

Remediation text might include: “It appears that a sniffer is running on this system.  Note; a system using a DHCP client may also cause this warning.”

Stay up to date on all things security

Subscribe to the Threat Geek Blog