[SOLVED] /proc/net/packet says my server is acting as network sniffer, according to NSA doc

el_tedward · 04-25-2011, 10:43 PM

So, the NSA puts out some handy documentation on locking down a RHEL server (running centos 5.6 x64 myself) here, http://www.nsa.gov/ia/_files/os/redh...guide-i731.pdf. Under "Ensure System is Not Acting as a Network Sniﬀer" on page 63, it says that if any numbers below the first line in /proc/net/packet, that it is acting as a network sniffer. I get the following output:

Code:

sk       RefCnt Type Proto  Iface R Rmem   User   Inode
ffff8100b3757400 3      3    0003   3     1 0      0      8402

Edit: The NSA doc does not really go into detail about what /proc/net/packet is for, so if anyone wants to go into detail about that, I'd be a very happy panda

Unless I've been pwned, I don't know exactly what could be causing this. Besides samba, nmap (compiled from source, not from yum), screen, and rtorrent, there's nothing I've installed beyond the fresh install I did a few days ago. I was not running nmap when looking at /proc/net/packet.

corp769 · 04-25-2011, 10:59 PM

Hello,

To avoid a lot of typing and confusion, see here: http://www.linuxquestions.org/questi...on-apps-54751/

Josh

el_tedward · 04-25-2011, 11:17 PM

So, based on that post, what I'm thinking is that nmap could have put my interface into promiscuous mode, and that would be why I'm getting the stuff in /proc/net/packet that I'm getting.

corp769 · 04-26-2011, 06:23 PM

Yup

Have you learned any kernel programming skills at all? Knowing the system and how it works helps in these types of situations

Edit - This post isn't meant to be negative in anyway, I just didn't know how else to say that

el_tedward · 04-26-2011, 06:58 PM

Thanks!

I don't have much programming experience, beyond some scripting. Interested in picking up more lower level programming skills at some point, just not what I'm doing right now.

And dun worry, your comment doesn't come across as negative

corp769 · 04-26-2011, 08:11 PM

No problem man.

Cheers,

Josh

nomb · 04-27-2011, 09:41 AM

I must have missed something, where is it saying nmap puts your nic into promiscuous mode?
The only other reference I see to an app, other then the obvious tcpdump, is to a dhcp client?

unixfool · 04-27-2011, 09:49 AM

Quote:

Originally Posted by nomb

I must have missed something, where is it saying nmap puts your nic into promiscuous mode?
The only other reference I see to an app, other then the obvious tcpdump, is to a dhcp client?

I didn't read anything but I'm pretty sure it will put it in prom mode. Anything that sniffs will activate prom mode, in my experience. You can test by running nmap and checking the interface while it is running.

nomb · 04-27-2011, 10:09 AM

nmap is an active scanner though not a passive one.

Even it's "passive" scan still is sending out syn packets.

Rogue45 · 09-06-2012, 02:51 PM

So i know this thread is old but....

If your using dhcp it will show up in /proc/net/packet
I was following the same rhel guide and was wondering how i could have a packet sniffer or tcpdump running on a fresh install. I'm fairly certain it's just DHCP causing that line to show up.

Here is a link that helped me out: http://blog.cloudpassage.com/2012/09...iffer-running/

unSpawn · 09-06-2012, 06:05 PM

You could have just run

Code:

awk '/^f/ {print "lsof -Pwln|grep "$NF}' /proc/net/packet|/bin/sh|awk '{print $1}'