How to get packet capture (pcap) with tcpdump (Linux)

Packet Capture (also known as pcaps) are vital for our team to investigate any sort of leak or bypass to any of our L7 application filters. If you are requested to submit a pcap or traffic capture please follow this article on how to complete such a request.

Depending on your operating system this process may differ. This guide offers to show the easiest way to complete a packet capture for the two most popular base OS systems. If your OS is not listed then please reach out to support and we can assist you with next steps.


Downloading packages

We will be using the tcpdump package for this tutorial. README can be found here.

Ensure your kernel is up to date and use the command

For Debian or Ubuntu: apt-get install tcpdump

For CentOS: yum install tcpdump

Capturing packets/data

As an example we will be capturing the packets coming into our game server on port **25565** for our Minecraft server, however can be changed depending on the game and port, along with the snap length of the packet. Just note, Tcpdump snap length by default is not unlimited to use -s0 flag options to capture full-frame length.  

While the packet capture is running please redo/run the task that you are having issues with (ie during a suspected attack if you see a leak through our firewall).

The following command will capture all packets coming in on 25565 until CTRL + C is executed. It will then save to the file named capture.pcap in the root directory.

tcpdump -s0 –interface any -w capture.pcap -nn port 25565

You will have to modify this depending on your use case, ie -nn port {PORT} for other games with multiple game ports use -s0 -nn “port {PORT1} and port {PORT2}”

The command line argument -c5 {protocol} can be used to limit the capture to a specific protocol, ie if you only wanted to watch TCP packets on a port.

This however shouldn’t be used for regular pcap requests as sometimes it can filter out required information.

Uploading and submitting

That’s it you’re done! Once you have recorded your pcap either open a ticket stating your issue attaching the .pcap file in your root directory, or reply to the ticket you opened already!

Leave a Reply

Your email address will not be published. Required fields are marked *