Cannot Install TCPDump on RHEL
search cancel

Cannot Install TCPDump on RHEL


Article ID: 184397


Updated On:


Data Loss Prevention Network Monitor


When trying to run tcpdump command getting following error on server:tcpdump: symbol lookup error: tcpdump: undefined symbol: pcap_set_tstamp_precision



The pcap_set_tstamp_precision symbol is provided by /lib64/ library which comes from libpcap package:


Reinstall tcpdump and libpcap package on the system. If the problem persist then check and remove third party shared libraries from the system.

# yum reinstall tcpdump libpcap

# mv /etc/ /tmp/

Run ldconfig command to create the necessary links and update cache to the most recent shared libraries found in the directories specified on the command line, in the file /etc/, and in the trusted directories, /lib and /usr/lib (on some 64-bit architectures such as x86-64, lib and /usr/lib are the trusted directories for 32-bit libraries, while /lib64 and /usr/lib64 are used for 64-bit libraries).

# ldconfig
# nm -D /lib64/ | grep pcap_set_tstamp_precision

0000000000011040 T pcap_set_tstamp_precision

# rpm -qf /lib64/


The ldd command output shows that tcpdump is using third party libraries on affected system which doesn't have the required symbols.

# ldd $(which tcpdump) => (0x00007ffd249f0000) => /lib64/ (0x00007f9e840af000) => /lib64/ (0x00007f9e83c4e000) => /opt/SymantecDLP/Protect/lib/native/ (0x00007f9e83a02000)   <<====== Third Party library => /lib64/ (0x00007f9e8363f000)   /lib64/ (0x000055716bc47000) => /lib64/ (0x00007f9e8343b000) => /opt/SymantecDLP/Protect/lib/native/ (0x00007f9e8321d000)      <<====== Third Party library The third party library entry was defined in /etc/ file.


Compare the output of below commands on affected system and make sure it's identical:

# which tcpdump


# ldd `which tcpdump` => (0x00007ffc427af000) => /lib64/ (0x00007f92ad7ae000) => /lib64/ (0x00007f92ad34d000) => /lib64/ (0x00007f92ad10b000) => /lib64/ (0x00007f92acd3e000)

/lib64/ (0x000055e4f4bff000) => /lib64/ (0x00007f92acb3a000) => /lib64/ (0x00007f92ac923000)