How to take a PCAP on Windows/Linux/VNS (Packet Capture)
📡 How to Capture a PCAP on Windows / Linux / VNS
Capturing a PCAP (Packet Capture) file is essential for troubleshooting network issues. Follow the steps below based on your operating system or situation.
🪟 How to Capture a PCAP on Windows (Using Wireshark)
- Download & Install Wireshark
- Open Wireshark
- Select a
Network Interface
- In the main screen, you will see a list of network interfaces
- Select the interface you want to start recording
- Click the
Blue Shark Fin
to start capturing packets from that interface
- Ideally you want to run the PCAP while the issue is happening or if requested
- After a while or otherwise designated click the
Red Square
to stop the PCAP - At the top-left click
File > Save As
, select a location, and then save the file with a.pcap
extension.
🐧 How to Capture a PCAP on Linux via SSH
This guide is assuming you are running on Ubuntu or a Debian based Linux OS. It's also assumed if you are not then you know how to install basic packages for your specific OS.
- SSH into your machine and run the following:
sudo apt update && sudo apt install tcpdump
mkdir -p /home/pcaps;cd /home/pcaps
- Type the following, we're going to determine which interface you need to use
ip a
- Look for the interface with the following indicators
- The status
state UP
indicates it is active. - It has a non-local IP addressed listed next to
inet
- For example this is the output of
ip a
:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1476 qdisc fq_codel state UP group default qlen 1000
link/ether 00:95:c0:de:9f:83 brd ff:ff:ff:ff:ff:ff
inet 45.125.160.107/24 brd 45.125.160.255 scope global ens3
valid_lft forever preferred_lft forever
inet6 fe80::295:c0ff:fede:9f83/64 scope link
valid_lft forever preferred_lft forever
We can clearly see state UP
and the inet
value is a public facing IP address. This means ens3
is our primary interface.
- Now we're going to run
tcpdump
on the primary interface we have just identified. Run the following:
sudo tcpdump -i !!INTERFACE_HERE!! -w capture.pcap
- Replace
!!INTERFACE_HERE!!
with the interface you identified. From the example it would beens3
.
- Have the
tcpdump
run while the issue is occurring for a while. - Finally stop the capture by pressing
CTRL + C
- Your pcap file will be in the directory you are currently in. We had you create
/home/pcaps/
so it should be in there if you followed everything correctly.
⌨️ How to Capture a PCAP via VNC Without SSH or RDP Access
In the event your server is under attack and you currently cannot access it via SSH or RDP your best solution is to access it via VNC.
- Open your VNC Terminal
- Check if
tcpdump
is installed by running
tcpdump --version
- If it is not installed, check the first step in the Linux SSH section above.
- Now we're going to run
tcpdump
on the primary interface. Run the following:
mkdir -p /home/pcaps;cd /home/pcaps
sudo tcpdump -i !!INTERFACE_HERE!! -w vnc_capture.pcap
- Replace
!!INTERFACE_HERE!!
with the interface you identified. If you need help finding the interface check the Linux SSH section at step 2.
- Have the
tcpdump
run while the issue is occurring for a while. - Finally stop the capture by pressing
CTRL + C
- Your pcap file will be in the directory you are currently in. We had you create
/home/pcaps/
so it should be in there if you followed everything correctly. - Use the VNC File Transfer Tool to download the file if available
Updated on: 22/01/2025
Thank you!