Detecting Packet Sniffing Malware on Linux
16 June 2025
Packet sniffing on Linux can be used for a variety of legitimate reasons, but sometimes it's used by malware for traffic monitoring to steal information and activate covert backdoors. In this article we're going to show you how to search the /proc/net/packet file on your Linux systems to find suspicious processes that may be grabbing traffic.
Using the /proc/net Directory to Find Network Activity
On Linux the /proc/net directory contains many files that describe various network protocols in use and what is using them. For instance you can see all open TCP or UDP sockets by looking at /proc/net/tcp or /proc/net/udp. Or, you can view lower level activity using raw sockets to grab network traffic with /proc/net/packet.
For this article we'll look at the /proc/net/packet file. This file shows you all raw or packet network sockets sniffing traffic. This can allow you to find legitimate, but also illegitimate, processes that are grabbing network packets. More importantly, it also allows you to find processes that may be hiding this activity from detection.
Below we see a sample of the /proc/net/packet file.
While /proc/net/packet is handy to check for rogue sniffers, the file only shows you open inodes and who owns them. It doesn't list the processes doing the deed which means we need to figure that out in a separate step. For example, the sample above actually shows two malicious sniffing processes. Below we've identified one with red arrows.
Connecting an Open Inode to Active Process
While the sample above shows us open inodes, this isn't useful by itself. We actually need to find out what processes have those inodes open. This reveals what processes are grabbing network traffic. This is tedious to do by hand, so we made a script (available below and here) to do it for you. The output when run shows all processes sniffing traffic. Below we see our two malicious processes after running our script.
Note that there are legitimate reasons to grab traffic such as monitoring for DHCP, routing protocols, etc. You will need to learn what is normal for your Linux hosts and what is not.
Above we see two systemd processes with open raw sockets grabbing network traffic (often network discovery protocols). However, we have two suspicious processes. One being "kthread" and the other "dbus-daemon" are both outliers. They are not normally seen grabbing network traffic and need investigation.
Using lsof to Find a Packet Sniffer
If you are investigating a Linux host and see a suspicious process, you can use lsof -p <PID> (Process ID) to list a process to see if it has an open packet socket. This is handy if lsof is installed already, but there are some caveats. First of all it may not be installed. We don't recommend installing any new tools on systems you are investigating either as it may damage evidence. Second of all, some malware has been known to hide from tools like lsof so there is a chance it may not show anything.
However in this case, we run lsof -p 1101 to list everything PID 1101 has open. Below we see the open raw socket, plus multiple other files. Note the deleted binary in /dev/shm which is a major red flag for malware. This particular malware is a backdoor that waits for magic packets to activate by watching all network traffic. Once magic packets are received, a backdoor can then be accessed by the attacker.
There are different types of packet sockets that can be used. Some will grab only certain protocol traffic such as DHCP, but others will grab all IP traffic (proto 0x0800 in the /proc/net/packet file) and are much more suspicious due to the breadth of what they are waiting for.
Find Hiding Malware by Looking Directly
As discussed, malware has been known to alter the output of system tools like netstat, ss, and lsof to hide. Sometimes looking at /proc/net/packet may reveal a discrepancy to find something hiding. If you see a process with an open packet socket in this file, but it's not being shown in normal utilities, you may have malware that is hiding.
The script we used to list the open packet sockets and compare against the list of processes is available in our Github repository below. We'll be putting more scripts for Linux forensics and incident response here. Keep it bookmarked as we'll have more scripts for Linux incident response and forensics added in the future:
Sandfly Security Linux Forensics Scripts
Find Packet Sniffing Malware at Scale Instantly
While doing this manually is great for direct incident response, our agentless Linux security platform can do it in seconds at scale. You can get a free trial and know immediately if any suspicious processes are sniffing traffic today. Sandfly deploys instantly without any endpoint agents with complete safety and compatibility across virtually all Linux systems and architectures. Get a free license and try it today.