📡 How to Capture a PCAP on Windows / Linux / VNS

Capturing a PCAP (Packet Capture) file is essential for troubleshooting network issues. Follow the steps below based on your operating system or situation.

🪟 How to Capture a PCAP on Windows (Using Wireshark)

1. Download & Install Wireshark
2. Open Wireshark
3. Select a Network Interface

• In the main screen, you will see a list of network interfaces
• Select the interface you want to start recording

4. Click the Blue Shark Fin to start capturing packets from that interface

• Ideally you want to run the PCAP while the issue is happening or if requested

5. After a while or otherwise designated click the Red Square to stop the PCAP
6. At the top-left click File > Save As, select a location, and then save the file with a .pcap extension.

🐧 How to Capture a PCAP on Linux via SSH

This guide is assuming you are running on Ubuntu or a Debian based Linux OS. It's also assumed if you are not then you know how to install basic packages for your specific OS.

1. SSH into your machine and run the following:

sudo apt update && sudo apt install tcpdump
mkdir -p /home/pcaps;cd /home/pcaps

2. Type the following, we're going to determine which interface you need to use

ip a

• Look for the interface with the following indicators
• The status state UP indicates it is active.
• It has a non-local IP addressed listed next to inet
• For example this is the output of ip a:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1476 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:95:c0:de:9f:83 brd ff:ff:ff:ff:ff:ff
    inet 45.125.160.107/24 brd 45.125.160.255 scope global ens3
       valid_lft forever preferred_lft forever
    inet6 fe80::295:c0ff:fede:9f83/64 scope link
       valid_lft forever preferred_lft forever

We can clearly see state UP and the inet value is a public facing IP address. This means ens3 is our primary interface.

3. Now we're going to run tcpdump on the primary interface we have just identified. Run the following:

sudo tcpdump -i !!INTERFACE_HERE!! -w capture.pcap

• Replace !!INTERFACE_HERE!! with the interface you identified. From the example it would be ens3.

4. Have the tcpdump run while the issue is occurring for a while.
5. Finally stop the capture by pressing CTRL + C
6. Your pcap file will be in the directory you are currently in. We had you create /home/pcaps/ so it should be in there if you followed everything correctly.

⌨️ How to Capture a PCAP via VNC Without SSH or RDP Access

In the event your server is under attack and you currently cannot access it via SSH or RDP your best solution is to access it via VNC.

1. Open your VNC Terminal
2. Check if tcpdump is installed by running

tcpdump --version

• If it is not installed, check the first step in the Linux SSH section above.

3. Now we're going to run tcpdump on the primary interface. Run the following:

mkdir -p /home/pcaps;cd /home/pcaps
sudo tcpdump -i !!INTERFACE_HERE!! -w vnc_capture.pcap

• Replace !!INTERFACE_HERE!! with the interface you identified. If you need help finding the interface check the Linux SSH section at step 2.

4. Have the tcpdump run while the issue is occurring for a while.
5. Finally stop the capture by pressing CTRL + C
6. Your pcap file will be in the directory you are currently in. We had you create /home/pcaps/ so it should be in there if you followed everything correctly.
7. Use the VNC File Transfer Tool to download the file if available

Updated on: 22/01/2025