tcpdump_post

What is TCPDUMP?

TCPDUMP is a powerful tool used to capture and analyze network traffic. Starting from version 4.99 it has added a new feature that allows us to view the interface names in its output. This is a useful addition, especially on systems that have multiple NICs as it allows users to easily identify the specific network interface that is processing the traffic. Prior to this feature, users had to manually determine the interface name by running multiple instances or get creative, which could be time-consuming and error-prone.

If your system is already equipped with version 4.99:

~$ tcpdump --version

tcpdump version 4.99.1
libpcap version 1.10.1 (with TPACKET_V3)
OpenSSL 3.0.2 15 Mar 2022

You are good to go. Otherwise, you can compile this version from the source.

Installation on Debian and Ubuntu machines

In this post machines that are derivatives of Debian are covered but the steps should be similar on other flavors nonetheless.

libpcap version 1.10.1 installation

The 4.99 version depends on libpcap version 1.10.1 and that is the first thing we need to build from source.

First things first, install cURL which is a command-line utility that is used to transfer data to or from a server and then the build-essential package which is a collection of development tools for the Debian and Ubuntu operating systems. It includes the GNU C compiler (gcc), the GNU C++ compiler (g++), and other utilities and libraries that are commonly used for building software from source code.

sudo apt-get update
sudo apt-get install curl
sudo apt-get install build-essential

Download libpcap version 1.10.1:

curl https://www.tcpdump.org/release/libpcap-1.10.1.tar.gz -o libpcap1.10.1.tar.gz

Extract the libpcap1.10.1.tar.gz file:

tar -xzvf libpcap1.10.1.tar.gz

Move to the newly created directory:

cd libpcap-1.10.1/

Prepare the source code for compilation:

sudo ./configure

In case you face any errors in the output, it is highly likely that a package is missing from your system. Grab the package name from the command output and install it manually.

Install the package:

sudo make
sudo make install

Go back up a directory:

cd ../

tcpdump version 4.99.1 installation

Download tcpdump version 4.99.1:

curl https://www.tcpdump.org/release/tcpdump-4.99.1.tar.gz -o tcpdump-4.99.1.tar.gz

Extract the tcpdump-4.99.1.tar.gz file:

tar -xzvf tar -xzvf libpcap1.10.1.tar.gz

Move to the newly created directory:

cd tcpdump-4.99.1/

Prepare the source code for compilation:

sudo ./configure

In case you face any errors in the output, it is highly likely that a package is missing from your system. Grab the package name from the command output and install it manually.

Install the package:

sudo make
sudo make install

Confirm that the installation was successful:

~$ tcpdump --version

tcpdump version 4.99.1
libpcap version 1.10.1 (with TPACKET_V3)

This will place the tcpdump executable under /usr/local/bin/tcpdump directory.

Try it out

Now, the interface name, in this case eth0 is displayed in the output!

~$ sudo tcpdump -ni any

tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
18:33:17.220046 eth0  Out IP 1.2.3.4 > 5.6.7.8.6595: Flags [P.], seq 1567883865:1567883945, ack 2889134639, win 501, length 80
18:33:17.220151 eth0  Out IP 1.2.3.4 > 5.6.7.8.6595: Flags [P.], seq 80:128, ack 1, win 501, length 48
18:33:17.221331 eth0  Out IP 1.2.3.4 > 5.6.7.8.6595: Flags [P.], seq 128:240, ack 1, win 501, length 112
18:33:17.221416 eth0  Out IP 1.2.3.4 > 5.6.7.8.6595: Flags [P.], seq 240:288, ack 1, win 501, length 48
18:33:17.221498 eth0  Out IP 1.2.3.4 > 5.6.7.8.6595: Flags [P.], seq 288:352, ack 1, win 501, length 64