How to get/record a packet capture (pcap)

Packet Capture (also known as pcaps) are vital for our team to investigate any sort of leak or bypass to any of our L7 application filters. If you are requested to submit a pcap or traffic capture please follow this article on how to complete such a request.

Depending on your operating system this process may differ. This guide offers to show the easiest way to complete a packet capture for the two most popular base OS systems. If your OS is not listed then please reach out to support and they will assist you with next steps.

Linux

Downloading packages

We will be using the tcpdump package for this tutorial. The README can be found here.
Ensure your kernel is up to date and use the command

For Debian or Ubuntu

apt-get install tcpdump

For CentOS

yum install tcpdump

Capturing packets/data

As an example we will be capturing the packets coming into our server on port 25565 for our Minecraft server, this however can be changed depending on the game and port.
While the packet capture is running please redo/run the task that you are having issues with (ie during a suspected attack if you see a leak through our firewall).

The following command will capture all packets coming in on 25565 until CTRL + C is executed. It will then save to the file named capture.pcap in the root directory.

tcpdump --interface any -w capture.pcap -nn port 25565

You will have to modify this depending on your use case, ie

-nn port {PORT}

for other games with multiple game ports use

-nn "port {PORT1} and port {PORT2}"

The command line argument -c5 {protocol} can be used to limit the capture to a specific protocol, ie if you only wanted to watch TCP packets on a port.
This however shouldn't be used for regular pcap requests as sometimes it can filter out required information.

Uploading and submitting

That's it, you're done! Once you have recorded your packet capture, either open a ticket stating your issue attaching the .pcap file in your root directory, or reply to the ticket you opened already! If the portal does not allow you to upload the packet capture to your ticket, please upload the file to somewhere such as Google Drive and ensure the permissions are configured so that our team can download the packet capture.

Windows/MacOS

Windows packet captures can be easier than Linux or those who are not comfortable with a kernal. It can also be useful for you to get a capture from the client perspective as it can help show what packets are getting accepted/blocked when going to your server.

Downloading applications

For this article we will be using Wireshark for our capture software.
Visit https://wireshark.org or use this conveniently placed hyperlink to go straight to the downloads page! Make sure you download the correct build for the system you are running the software on.

Capturing packets/data

Once you have installed the software, open up Wireshark and you will be presented with a screen where you need to select your primary network adapter (or the adapter that the traffic will be sent/received through). In my case this is Ethernet 2, and is highlighted in red.


From the moment you click on your adapter, Wireshark will begin the packet capture, depending on what you have running on your adapter you will see lots (or maybe little) entries in the top sector.

Saving and uploading

Once you have completed the reproductive steps that cause your issue and have collected the required packets, you can stop the capture in the top left.


You will then need to go to File > Save As and save the .pcap file somewhere ready for you to upload to your ticket/request.


That's it you're done! Once you have recorded your pcap either open a ticket stating your issue attaching the .pcap file in your root directory, or reply to the ticket you opened already!

Updated on: 09/06/2023