8.3 Installing Tcpdump
The sections that follow provide specifics on tcpdump installation.
8.3.1 You May Already Be a Winner
Modern Linux systems and some other operating systems now come with tcpdump already installed. If your Linux system has tcpdump installed, it can usually be found as /usr/sbin/tcpdump. If you do not know if your system has tcpdump installed, try logging in as root and typing:
Solaris# type tcpdump
If this returns "tcpdump not found," tcpdump probably is not installed on your system. You may also check for the existence of /usr/local/bin/tcpdump if it is possible another administrator installed the program before you. If you find tcpdump is already present on your system, you can skip the entire section on installing it.
Solaris does not come installed with tcpdump, but does come with a packet capturing program called snoop, installed as /usr/sbin/snoop. While snoop has a few features that tcpdump does not, it is to your advantage to install tcpdump as well. Tcpdump is widely used, and as a result, a number of programs can use its output to produce other reports. Tcpdump is also a better tool in some circumstances, including gathering packets over a long period of time.
8.3.2 Which Version to Build
As mentioned before, there are two trains of tcpdump software: the older and more standard version at the LBL and the newer version at http://www.tcpdump.org/. The latter version contains features that the older version does not, of course. You may choose to download and build either one; the installation process for both is fairly straightforward. In the following examples, the LBL version is used.
8.3.3 The Pcap Library
As mentioned earlier, tcpdump requires the pcap library, which can be downloaded from ftp://ftp.ee.lbl.gov/libpcap.tar.Z. On a Linux system, you will likely find that /usr/lib/libpcap.a or /usr/lib/libpcap.so already exists. If so, you do not need to build the pcap library on your own. If you are on a system where it does not already exist, you will have to build it. Begin by uncompressing and unpackaging the file:
Solaris% uncompress libpcap.tar.Z Solaris% tar xvf libpcap.tar Solaris% cd libpcap-0.4
Then configure and build the package:
Solaris% ./configure Solaris% make
When you are done, there will be a file named libpcap.a in the current directory. If you wish to install the pcap library on your system, you may do so by logging in to a root account and typing make install. However, you can also point the tcpdump build at the file you just created without installing it on your system.
Retrieve the source for tcpdump from ftp://ftp.ee.lbl.gov/tcpdump.tar.Z. If you did not choose to install the pcap library on your system, you will want to place the tcpdump source so that its parent directory and the pcap source parent directory are the same. That is, from one directory you would like to see:
libpcap-0.4/ libpcap.tar tcpdump.tar.Z
This will allow tcpdump to find the pcap library automatically. Now uncompress and unpackage the tcpdump source:
Solaris% uncompress tcpdump.tar.Z Solaris% tar xvf tcpdump.tar Solaris% cd tcpdump-3.4
Of course, the directory you change to will depend on the latest version number of tcpdump. Now build the package:
Solaris% ./configure Solaris% make
And then you may install tcpdump from a root account:
Solaris# make install Soalris# make install-man
The directory in which tcpdump is installed will depend on your system; on Solaris it will be /usr/local/sbin.