Please post or message me with criticism. Or things I missed, or have written incorrectly. Constructive criticism is welcome.

I used Red Hat 7.1 as my model for this tutorial, so, you may get slightly different results with different distros.

WARNING!!!!!!! The way you choose to use this information may get you
into trouble. I am posting this simply as a learning tool, so that people
can start to look at how network protocols work in the real world.
Proceed with caution if you are part of an enterprise network(get
permission) or a university network(get permission). If you are on a
cable modem or DSL, you should not be able to see others packets anyway
due to the way their switches are set up. Dial up users, I cant help you.

The ability to sniff packets(and understand what you are seeing) is very
usefull under many different circumstances. Packet sniffing can help you
to troubleshoot network problems(routing issues, packetstorms\, etc.),
spot intrusion attempts on a network you are responsible for, or even just
learn a lot about computers and the way in which they
communicate(protocols, etc.).

There are a number of different packet sniffing tools available, some with
gui some without, some with more flexibility, others more suited for only
a singly task(such as grabbing plaintext passwords from the ether). This
tutorial will deal with tcpdump, and open source, command line packet
sniffer for *nix. There is a windows version(called windump.exe
must be used with winpcap.exe) but lets stick with *nix. One good reason
to get familiar with tcpdump(as opposed to its GUI brothers and sisters)
is that the way tcpdump does business(filters, formats, etc)is compatible
with a powerfull open source intrusion detection system, SNORT.

In order for the install to work, you need several things, the source for
tcpdump and libpcap, root access, and an ANSI compatible c compiler(such
as gcc on my Red Hat 7.1 machine).

To start off, you need to download the source for tcpdump from (or one of their mirrors)

Also download the source for libpcap from the same site. I would
reccomend downloading the latest stable version, and not the beta version.
As of this writing the latest versions of the two are

tcpdump version 3.6.2
libpcap version 0.6.2

After you have downloaded the files, you will need to uncompress them, for
me the commands were:

gzip -dv tcpdump-3.6.2.tar.gz
tar -xvf tcpdump-3.6.2.tar

gzip -dv libpcap-0.6.2.tar.gz
tar -xvf libpcap-0.6.2.tar

It is possible to do the unzip and get the files out of the tarball in one
command, but I have yet to figure out what that command is.(and it wasnt
worth my time tonight to figure that one out).

Now, you should have 2 new directories in the folder which the downloaded
files were saved.

For me these are




First we need to compile,configure and install libpcap. The scripts which
came with libpcap call your c compiler so no need to worry about
compiling, unless you are very unlucky.

Do this using the following commands from the directory libpcap-0.6.2

make install

You should see an approximation of the following output...

[ -d /usr/local/lib ] || \
(mkdir -p /usr/local/lib; chmod 755 /usr/local/lib)
/usr/bin/install -c -m 644 libpcap.a /usr/local/lib/libpcap.a
ranlib /usr/local/lib/libpcap.a
[ -d /usr/local/include ] || \
(mkdir -p /usr/local/include; chmod 755 /usr/local/include)
/usr/bin/install -c -m 644 ./pcap.h /usr/local/include/pcap.h
/usr/bin/install -c -m 644 ./pcap-namedb.h \
[ -d /usr/local/include/net ] || \
(mkdir -p /usr/local/include/net; chmod 755 /usr/local/include/net)
/usr/bin/install -c -m 644 ./bpf/net/bpf.h \
[ -d /usr/local/man/man3 ] || \
(mkdir -p /usr/local/man/man3; chmod 755 /usr/local/man/man3)
/usr/bin/install -c -m 644 ./pcap.3 \

This shows that the libpcap install has created the appropriate
directories with the appropriate rights. The latest version of the
libpcap installer has been configured to correctly put the nesscessary
files in the correct places. Previous versions did not do that, and I
spent several hours once copying files to the proper place by hand, it
wasnt fun.

OK, change directory to the tcpdump-3.6.2 directory

Enter the following commands

make install

You should see an approximation of the following output.

[ -d /usr/local/sbin ] || \
(mkdir -p /usr/local/sbin; chmod 755 /usr/local/sbin)
/usr/bin/install -c tcpdump /usr/local/sbin/tcpdump
[ -d /usr/local/man/man1 ] || \
(mkdir -p /usr/local/man/man1; chmod 755 /usr/local/man/man1)
/usr/bin/install -c -m 644 ./tcpdump.1 /usr/local/man/man1/tcpdump.1

Assuming you recieved no error messages, it is time to try it out.

The tcpdump install defaults to installing the tcpdump binary in


So, lets change to that directory, and try out the command...

cd /usr/local/sbin



Now you should have a information pulled from captured packets streaming
across the screen. Depending on the size of the network you are on,
there will be greater or lesser amounts of traffic. For learning
purposes, I would set up your machine on a private network of about 3 or
so machines, and try different configurations, and watch what happens.

I will follow up with other tutorials, on how to use tcpdump when I have
some more time. For now, read the man pages, search the net for
information about tcpdump filters and options(such as saving the data to a
file to review later, filtering out everything except one specific type of
traffic, etc.). Explore tcpdump and have fun. If you have questions
about what you are seeing there are some great resources on the web(and in
your locally bricks and mortar library/bookstore)about the way packets are
formed for the various protocols.

On of my favorites(although a bit dry for pleasure reading) is

TCP/IP illustrated by Richard Stevens I believe.

I feel obliged to warn you again, if you are doing this at work, or at
school, you could get in a lot of trouble, if you are caught capturing packets
without permission. If you set up your own private network for learning,
you should have no worries, and you can see the results of different
things that you might do with your computer. On a bigger network, that
traffic may tend to get lost.