Expand description
Detect processes holding raw (AF_PACKET or SOCK_RAW) sockets.
Raw sockets give user-space full access to Ethernet frames or raw IP packets,
enabling packet sniffing, ARP poisoning, and covert C2 channels. Legitimate
use is limited to well-known diagnostic tools (tcpdump, ping, etc.).
MITRE ATT&CK: T1040 — Network Sniffing.
Re-exports§
pub use crate::heuristics::classify_raw_socket;
Structs§
- RawSocket
Info - Information about a raw socket held by a process.
Functions§
- walk_
raw_ sockets - Walk the task list and enumerate all open raw sockets.