Start a conversation

How to Get PCAPS from Linux

Overview: Network captures are one of the most useful tools while troubleshooting VoIP systems and resolving network related issues. Since more and more servers are being installed on Linux due to the minimal resource requirements, it's important to know how to obtain a Network Capture on a Linux server.

Before you begin: You will need to have ROOT access to a Linux Server that is running the SSH (Secured SHell) Service. We will be using PuTTY to run commands on the server, and WinSCP to extract files from the server.

  1. First, let's install tcpump on your Linux server. Login as ROOT (Super User) and use the command:
    • sudo apt-get update && apt-get install tcpdump
    • This command will download package lists and updates the list to get information on the newest versions of packages. After the list of packages have been updated, the command will proceed to download and install the package tcpdump
  2. Ensure that no errors have been received. If you receive an error this may be due to your account permissions or you may be missing dependencies which need to be installed prior to installing tcpump.
  3. You will want to change your directory to the area you would like to store files. Below are some of the commands you may use to create directories or navigate through your system.
    • pwd command is used to Print Working Directory and will output the current directory you are in.
    • cd command will be used to Change Directory.
    • mkdir command is used to Make a Directory in the current working directory.
    • mv command is used to move files from one location to another.
  4. Use the command below to start monitoring everything on your network (all ports and activity) and output to a file named "MyPCAP.pcap"
    • tcpdump -i any -w MyPCAP.pcap

    • Use Ctrl + C to break the capture and return to the terminal.
  5. Once your capture has ended, open WinSCP and connect to your server to copy your PCAP files to a different computer.
  6. With WinSCP connected, navigate to the directory which you were working. See the above commands to assist with this.
    • Right click your file and click "Download" - this will download a copy to your local computer and keep the file on your Linux Server.
  7. Once the file is downloaded, you can use Wireshark to open the packet capture and troubleshoot network related issues.
Choose files or drag and drop files
Was this article helpful?
  1. Steve Stoveld

  2. Posted
  3. Updated