3 minutes
TCPDUMP’s Improved Output: Showing Interface Names
What is TCPDUMP?
TCPDUMP is a powerful tool used to capture and analyze network traffic. Starting from version 4.99 it has added a new feature that allows us to view the interface names in its output.
This is a useful addition, especially on systems that have multiple NICs as it allows users to easily identify the specific network interface that is processing the traffic.
Prior to this feature, users had to manually determine the interface name by running multiple instances or get creative, which could be time-consuming and error-prone.
If your system is already equipped with version 4.99:
~$ tcpdump --version
tcpdump version 4.99.1
libpcap version 1.10.1 (with TPACKET_V3)
OpenSSL 3.0.2 15 Mar 2022
You are good to go. Otherwise, you can compile this version from the source.
Installation on Debian and Ubuntu machines
In this post machines that are derivatives of Debian are covered but the steps should be similar on other flavors nonetheless.
libpcap version 1.10.1 installation
The 4.99 version depends on libpcap version 1.10.1 and that is the first thing we need to build from source.
First things first, install cURL which is a command-line utility that is used to transfer data to or from a server and then the build-essential package which is a collection of development tools for the Debian and Ubuntu operating systems. It includes the GNU C compiler (gcc), the GNU C++ compiler (g++), and other utilities and libraries that are commonly used for building software from source code.
sudo apt-get update
sudo apt-get install curl
sudo apt-get install build-essential
Download libpcap version 1.10.1:
curl https://www.tcpdump.org/release/libpcap-1.10.1.tar.gz -o libpcap1.10.1.tar.gz
Extract the libpcap1.10.1.tar.gz file:
tar -xzvf libpcap1.10.1.tar.gz
Move to the newly created directory:
cd libpcap-1.10.1/
Prepare the source code for compilation:
sudo ./configure
In case you face any errors in the output, it is highly likely that a package is missing from your system. Grab the package name from the command output and install it manually.
Install the package:
sudo make
sudo make install
Go back up a directory:
cd ../
tcpdump version 4.99.1 installation
Download tcpdump version 4.99.1:
curl https://www.tcpdump.org/release/tcpdump-4.99.1.tar.gz -o tcpdump-4.99.1.tar.gz
Extract the tcpdump-4.99.1.tar.gz file:
tar -xzvf tcpdump-4.99.1.tar.gz
Move to the newly created directory:
cd tcpdump-4.99.1/
Prepare the source code for compilation:
sudo ./configure
In case you face any errors in the output, it is highly likely that a package is missing from your system. Grab the package name from the command output and install it manually.
Install the package:
sudo make
sudo make install
Confirm that the installation was successful:
~$ tcpdump --version
tcpdump version 4.99.1
libpcap version 1.10.1 (with TPACKET_V3)
This will place the tcpdump executable under /usr/local/bin/tcpdump directory.
Try it out
Now, the interface name, in this case eth0 is displayed in the output!
~$ sudo tcpdump -ni any
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
18:33:17.220046 eth0 Out IP 1.2.3.4 > 5.6.7.8.6595: Flags [P.], seq 1567883865:1567883945, ack 2889134639, win 501, length 80
18:33:17.220151 eth0 Out IP 1.2.3.4 > 5.6.7.8.6595: Flags [P.], seq 80:128, ack 1, win 501, length 48
18:33:17.221331 eth0 Out IP 1.2.3.4 > 5.6.7.8.6595: Flags [P.], seq 128:240, ack 1, win 501, length 112
18:33:17.221416 eth0 Out IP 1.2.3.4 > 5.6.7.8.6595: Flags [P.], seq 240:288, ack 1, win 501, length 48
18:33:17.221498 eth0 Out IP 1.2.3.4 > 5.6.7.8.6595: Flags [P.], seq 288:352, ack 1, win 501, length 64