package: chkrootkit version: 0.58b-4 severity: normal tags: upstream ifpromisc (the 'sniffer' test) does not report all 'packet sniffers' that it detected
A standard desktop with network manager and wifi has 4 processes with sockets listening on network interfaces, 2 from NetworkManager and 2 from wpa_supplicant, but ifpromisc only detects 3 of them. This is a combination of 1. only looking at interfaces with ip4 addresses attached (i think it would miss any ip6-only sockets at the moment, or any sniffers if the interface happens to be down - i have not tested this), and 2. a logic error in how the output is created: it assumes that by looping over all visible interfaces will output all the sniffers in the proc_net_packet linked list. but this is not correct - if a sniffer has an unusual network index (such as 0 - i assume this means "listen on all interfaces"?) it will not be output, even though we did detect it, and have all its details ready to go. This causes it to provide incomplete output. So it needs to check that every socket in /proc/net/packet has been "found" in the process list and if not, output the rest. I have a patch to fix this, (wont be added until trixie is stable).
