2.4 Installing tcpdump

The tcpdump application may already be installed on your Linux distribution. tcpdump requires the libpcap library, which in all likelihood is also already installed as an RPM package. libpcap is the basis of all packet-sniffing applications. This library provides a portable framework for low-level network monitoring. Besides packet sniffing, it is used for network statistics collection, security monitoring, and network debugging. Most hardcore security administrators prefer downloading the latest source, verifying the PGP signature, and compiling and installing them manually. If tcpdump and libpcap are not already installed, compile both programs from source. Even if you already have the RPM version, consider installing the latest version using the source code. The latest versions very often have much better performance and stability than the pre-installed binaries. Simply uninstall the preinstalled versions of libpcap and tcpdump and proceed. As an example, if your distribution uses RPM packages, you can remove tcpdump by using the following command line:

# rpm -e tcpdump

After copying the compressed files to a standard location, such as /usr/local/src/, uncompress the code. Here is an example install:

# cp tcpdump-3.8.1.tar.gz /usr/local/src/

# cp libpcap-0.8.1.tar.gz /usr/local/src/

# cd /usr/local/src

# tar -zxvf tcpdump-3.8.1.tar.gz

# tar -zxvf libpcap-0.8.1.tar.gz

Replace the version number (as shown above) with the latest release number. The commands for installing both applications are covered in the INSTALL files included with each application's source code. These are fairly standard and do not require much modification. You may add other configuration options to the install process. To view these options, use the --help flag following the configure command. In most cases, though, you won't need any options. Here's how to install libpcap and tcpdump from source:

# cd libpcap-0.8.1

# ./configure ; make ; make install

# cd ../tcpdump-3.8.1

# ./configure ; make ; make install

Rather than use a semicolon to separate multiple commands on the same line, some developers recommend &&. With &&, a command is executed only if prior commands succeed. If something fails during the configuration or make process, the entire process halts. The ";" symbol allows the next command to execute regardless of errors. Use your own discretion when running multiple compilation commands on a single line.