How to take a PCAP on Windows/Linux/VNS (Packet Capture)
📡 How to Capture a PCAP on Windows / Linux / VNS
Capturing a PCAP (Packet Capture) file is essential for troubleshooting network issues. Follow the steps below based on your operating system or situation.
🪟 How to Capture a PCAP on Windows (Using Wireshark)
Download & Install Wireshark
Open Wireshark
Select a Network Interface
In the main screen, you will see a list of network interfaces
Select the interface you want to start recording
Click the Blue Shark Fin to start capturing packets from that interface
Ideally you want to run the PCAP while the issue is happening or if requested
After a while or otherwise designated click the Red Square to stop the PCAP
At the top-left click File > Save As, select a location, and then save the file with a .pcap extension.
🐧 How to Capture a PCAP on Linux via SSH
This guide is assuming you are running on Ubuntu or a Debian based Linux OS. It's also assumed if you are not then you know how to install basic packages for your specific OS.
SSH into your machine and run the following:
sudo apt update && sudo apt install tcpdump
mkdir -p /home/pcaps;cd /home/pcapsType the following, we're going to determine which interface you need to use
ip aLook for the interface with the following indicators
The status state UP indicates it is active.
It has a non-local IP addressed listed next to inet
For example this is the output of ip a:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1476 qdisc fq_codel state UP group default qlen 1000
link/ether 00:95:c0:de:9f:83 brd ff:ff:ff:ff:ff:ff
inet 45.125.160.107/24 brd 45.125.160.255 scope global ens3
valid_lft forever preferred_lft forever
inet6 fe80::295:c0ff:fede:9f83/64 scope link
valid_lft forever preferred_lft foreverWe can clearly see state UP and the inet value is a public facing IP address. This means ens3 is our primary interface.
You absolutely have to check this, configurations may be different depending on a variable of factors.
Now we're going to run tcpdump on the primary interface we have just identified. Run the following:
sudo tcpdump -i !!INTERFACE_HERE!! -w capture.pcapReplace !!INTERFACE_HERE!! with the interface you identified. From the example it would be ens3.
Have the tcpdump run while the issue is occurring for a while.
Finally stop the capture by pressing CTRL + C
Your pcap file will be in the directory you are currently in. We had you create /home/pcaps/ so it should be in there if you followed everything correctly.
⌨️ How to Capture a PCAP via VNC Without SSH or RDP Access
In the event your server is under attack and you currently cannot access it via SSH or RDP your best solution is to access it via VNC.
Open your VNC Terminal
Check if tcpdump is installed by running
tcpdump --versionIf it is not installed, check the first step in the Linux SSH section above.
Now we're going to run tcpdump on the primary interface. Run the following:
mkdir -p /home/pcaps;cd /home/pcaps
sudo tcpdump -i !!INTERFACE_HERE!! -w vnc_capture.pcapReplace !!INTERFACE_HERE!! with the interface you identified. If you need help finding the interface check the Linux SSH section at step 2.
Have the tcpdump run while the issue is occurring for a while.
Finally stop the capture by pressing CTRL + C
Your pcap file will be in the directory you are currently in. We had you create /home/pcaps/ so it should be in there if you followed everything correctly.
Use the VNC File Transfer Tool to download the file if available
Updated on: 22/01/2025
Thank you!