md5sum Differences in Binaries - Solved

Ran into an issue today while doing some investigative checking on three servers. I checked the md5sum's of /usr/sbin/tcpdump on three computers - all with the same os, updates and versions:

[root@server1 ~]# md5sum /usr/sbin/tcpdump
db8c69b152d8046ee850157c235f1d9d /usr/sbin/tcpdump

[root@server2 ~]# md5sum /usr/sbin/tcpdump
59538ff79a609f35f426c19aa5b79418 /usr/sbin/tcpdump

[root@server3 ~]# md5sum /usr/sbin/tcpdump
ad67f858838022be37cfd653027a078d /usr/sbin/tcpdump

What gives?? After successfully stopping the hyperventilation, I did some surfing to uncover the cause. I found the answer - prelinking. Prelinking adds information about the location of linked libraries and files to the binary to minimize start up time and reduce the penalty of using dynamically linked libraries.

To test this do a 'prelink -u /usr/sbin/tcpdump' which removes any prelinking information from the binary, reverting the binaries to their original content.

[root@server1~]# prelink -u /usr/sbin/tcpdump
[root@server1 ~]# md5sum /usr/sbin/tcpdump
ccc4c75db1dac80d513e2d587e4b0b35 /usr/sbin/tcpdump

[root@server2~]# prelink -u /usr/sbin/tcpdump
[root@server2 ~]# md5sum /usr/sbin/tcpdump
ccc4c75db1dac80d513e2d587e4b0b35 /usr/sbin/tcpdump

[root@server3~]# prelink -u /usr/sbin/tcpdump
[root@server3 ~]# md5sum /usr/sbin/tcpdump
ccc4c75db1dac80d513e2d587e4b0b35 /usr/sbin/tcpdump


After confirming the binaries are all the same, you can:

prelink /usr/sbin/tcpdump

to again add the prelinking data.