Re: Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient-2.2.x)
Lawrence Houston <firstname.lastname@example.org> writes:
> Running the latest CHKROOTKIT (0.43) under Debian (3.0r2) I am now
> receiving the following messages on my Router:
> Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient-2.2.x)
> eth1: PF_PACKET(/sbin/dhclient-2.2.x, /usr/sbin/dhcpd-2.2.x)
> Which is a bit worrisome since I had NOT this with previous versions of
> CHKROOTKIT (up to and including 0.42b)!!! Does anyone know if this is
> "normal" for Woody's dhcp-client???
yes, it's normal.
it just means that /sbin/dhclient-2.2.x, /usr/sbin/dhcpd-2.2.x use the
packet interface (which many sniffers use). consider it a false positive.