chkrootkit - PACKET SNIFFER detection

Hi. I ran chkrootkit on my debian image and one line had the output:

Checking `sniffer'… lo: not promisc and no packet sniffer sockets

eth0: PACKET SNIFFER(/sbin/dhclient-2.2.x (deleted)[105])

Is it normal for dhclient to be detected as root kit or has mine been infected somehow! ?

5 Replies

dhclient does set some socket options which chkrootkit might detect as sniffing. Basically, dhclient needs to accept any traffic, because it runs before the interface has an IP. That's my guess, at least, sorry for the non-confidence inspiring lack of technical details.

Could you deploy a fresh Debian install (only needs 80 megs or so), and run chkrootkit against it? I'd guess you'd get the same result. Googling turned up similar results as yours for Slackware, and some other distros…


Yes, I think I have a spare room on my linode for that. Do I need another IP to be able to access the other one with ssh?

It is due to dhclient….caker's descriptio is exactly correct.

I know this topic's been dealt with, but for future reference…

> Do I need another IP to be able to access the other one with ssh?

I believe that only one profile can be up at a time, even if you do have more than one IP. I could be wrong on that, but from what I've seen that's how it works.


Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct