Home > Articles

  • Print
  • + Share This
This chapter is from the book

This chapter is from the book

8.3 Installing Tcpdump

The sections that follow provide specifics on tcpdump installation.

8.3.1 You May Already Be a Winner

Modern Linux systems and some other operating systems now come with tcpdump already installed. If your Linux system has tcpdump installed, it can usually be found as /usr/sbin/tcpdump. If you do not know if your system has tcpdump installed, try logging in as root and typing:

   Solaris# type tcpdump

If this returns "tcpdump not found," tcpdump probably is not installed on your system. You may also check for the existence of /usr/local/bin/tcpdump if it is possible another administrator installed the program before you. If you find tcpdump is already present on your system, you can skip the entire section on installing it.

Solaris does not come installed with tcpdump, but does come with a packet capturing program called snoop, installed as /usr/sbin/snoop. While snoop has a few features that tcpdump does not, it is to your advantage to install tcpdump as well. Tcpdump is widely used, and as a result, a number of programs can use its output to produce other reports. Tcpdump is also a better tool in some circumstances, including gathering packets over a long period of time.

8.3.2 Which Version to Build

As mentioned before, there are two trains of tcpdump software: the older and more standard version at the LBL and the newer version at http://www.tcpdump.org/. The latter version contains features that the older version does not, of course. You may choose to download and build either one; the installation process for both is fairly straightforward. In the following examples, the LBL version is used.

8.3.3 The Pcap Library

As mentioned earlier, tcpdump requires the pcap library, which can be downloaded from ftp://ftp.ee.lbl.gov/libpcap.tar.Z. On a Linux system, you will likely find that /usr/lib/libpcap.a or /usr/lib/libpcap.so already exists. If so, you do not need to build the pcap library on your own. If you are on a system where it does not already exist, you will have to build it. Begin by uncompressing and unpackaging the file:

   Solaris% uncompress libpcap.tar.Z
   Solaris% tar xvf libpcap.tar
   Solaris% cd libpcap-0.4

Then configure and build the package:

   Solaris% ./configure
   Solaris% make

When you are done, there will be a file named libpcap.a in the current directory. If you wish to install the pcap library on your system, you may do so by logging in to a root account and typing make install. However, you can also point the tcpdump build at the file you just created without installing it on your system.

8.3.4 Tcpdump

Retrieve the source for tcpdump from ftp://ftp.ee.lbl.gov/tcpdump.tar.Z. If you did not choose to install the pcap library on your system, you will want to place the tcpdump source so that its parent directory and the pcap source parent directory are the same. That is, from one directory you would like to see:

   libpcap-0.4/  libpcap.tar   tcpdump.tar.Z

This will allow tcpdump to find the pcap library automatically. Now uncompress and unpackage the tcpdump source:

   Solaris% uncompress tcpdump.tar.Z
   Solaris% tar xvf tcpdump.tar
   Solaris% cd tcpdump-3.4

Of course, the directory you change to will depend on the latest version number of tcpdump. Now build the package:

   Solaris% ./configure
   Solaris% make

And then you may install tcpdump from a root account:

   Solaris# make install
   Soalris# make install-man

The directory in which tcpdump is installed will depend on your system; on Solaris it will be /usr/local/sbin.

  • + Share This
  • 🔖 Save To Your Account