Linux HOWTOs

About | Home | Search

HOWTO: tcpdump
Description: Dump traffic on a network
Click here for ChangeLog
NOTE: I use GNU tar >= 1.13.25 so it's -j for .tar.bz2 files,
it's safe to assume that make, gcc, binutils, fileutils/coreutils, gawk, sed, and grep are prerequisites for almost everything

# tcpdump 4.9.2
# =============
# Slackware 13.37: tcpdump 4.1.1
# Slackware 14.0: tcpdump 4.3.0
# Slackware 14.1: tcpdump 4.4.0
# Slackware 14.2: tcpdump 4.7.4

# If you ever need to remove tcpdump, see the notes at the bottom

# Prerequisites (beyond those listed above):
# libpcap
# OpenSSL (optional)
# libcap-ng (optional)

# Get it
test -f installed/tcpdump-4.9.2.tar.gz && mv installed/tcpdump-4.9.2.tar.gz .
test ! -f tcpdump-4.9.2.tar.gz &&

# Verify tarball w/ sha1sum:
# (this came from my gpg-verified tarball)
echo "f7dccebe94c3d07ac8744d43297ea2b98b35a13f  tcpdump-4.9.2.tar.gz" | \
sha1sum -c

# Verify tarball w/ sha256sum:
# (this also came from my gpg-verified tarball)
echo "798b3536a29832ce0cbb07fafb1ce5097c95e308a6f592d14052e1ef1505fe79  t\
cpdump-4.9.2.tar.gz" | sha256sum -c

# Verify tarball w/ gpg:
( gpg --list-keys D9C15D0D > /dev/null 2>&1 || gpg --recv-keys D9C15D0D ) &&
 wget -nc &&
  gpg --verify tcpdump-4.9.2.tar.gz.sig && rm tcpdump-4.9.2.tar.gz.sig

# Extract the source
mkdir -p -m 0700 ~/src
cd ~/src
find -maxdepth 1 -type d -name "tcpdump-*" -exec rm -r {} \;
tar xzvf ~/tcpdump-4.9.2.tar.gz
cd tcpdump-4.9.2
test $UID = 0 && chown -R root:root .

# If your OpenSSL is installed under the /usr prefix, or the default <
# 1.1.0 prefix of /usr/local/ssl, configure should be able to find it
# without using LDFLAGS or CPPFLAGS.

# As of version 3.9.3, tcpdump can chroot to a directory when it drops
# privileges.  I generally chose /var/empty, but anywhere ... empty, is fine.
# If you don't want to do that, leave off the --with-chroot part.
# After it's installed, make tcpdump setuid root (chmod u+s
# /usr/sbin/tcpdump) if you want to be able to run it as a non-root user
# without su or sudo.

# You can either run tcpdump with the -Z user option to specify the user to
# drop privileges to when you run it as root, or you can build it in as a
# default by passing --with-user to configure.  I use the user 'nobody',
# but if you're truly paranoid, as you should be if it's possible that
# anyone other than only you would use it, you may want to create a
# 'tcpdump' user and it's own chroot directory used by nothing else.

# Configure for 64-bit:
test $(uname -m) = 'x86_64' &&
./configure --prefix=/usr --libdir=/usr/lib64 --mandir=/usr/man \
--with-chroot=/var/empty --with-user=nobody

# Configure for anything else:
test $(uname -m) != 'x86_64' &&
./configure --prefix=/usr --mandir=/usr/man --with-chroot=/var/empty \

# Build it

# Become root to install it

# Remove the Slackware package, if there is one
# Anything before Slackware 14.0 had libpcap in the tcpdump package,
# so you'd be removing both by removing that
test -x /sbin/removepkg && /sbin/removepkg tcpdump

# Install it
make install

# Make sure your non-root user can remove the source later
chown -R $(logname) .
chmod -R u+w .

# Become yourself again

# Save the source for later
mkdir -p -m 0700 installed
rm -f installed/tcpdump-*.tar.*
mv tcpdump-4.9.2.tar.gz installed/

# If you ever want to uninstall tcpdump, this should do it:
test -d src/tcpdump-* && ( cd src/tcpdump-* ; make uninstall )
rm -f /usr/sbin/tcpdump /usr/sbin/tcpdump.* \
/usr/man/man1/tcpdump.1 /usr/share/man/man1/tcpdump.1
find ~/src -maxdepth 1 -type d -name "tcpdump-*" -exec rm -r {} \;
rm -f ~/installed/tcpdump-*.tar.*

Back to the list

Last updated: Wed, 29 Apr 2020 22:04:50 -0400
Jason Englander <jason at englanders dot us>