The problem

You want to listen to network traffic using the tcpdump program, but you get the following error message:

root@linux# tcpdump -n tcp port 22
tcpdump: socket: Address family not supported by protocol

The cause

The af_packet kernel module is not loaded. This implements raw sockets, with which one can access a network card directly, bypassing TCP/IP – and this module is exactly what tcpdump needs.

Normally the module is loaded automatically, but this situation can occur if the module is missing or the module dependencies are not known (depmod -a was not executed).

The remedy

If necessary, update your module dependencies and then load the module manually:

root@linux# depmod -a
root@linux# modprobe af_packet

If required, check whether the module is present:

root@linux# find /lib/modules -name "af_packet*"
/lib/modules/2.6.13-15-default/kernel/net/packet/af_packet.ko

If modprobe does not work, you can try to load the module directly with insmod:

root@linux# insmod /lib/modules/2.6.13-15-default/kernel/net/packet/af_packet.ko

Linux knowledge

These articles were written by the founder of Checkmk many years ago.
They are still valid though and thus we keep them on our website.
Mathias has since then developed a monitoring software called Checkmk

Find out more