DocumentationHow to Create a PCAP File on Your VPS ​
A PCAP file (Packet Capture) records all network traffic on your server. In some cases, our support team needs this data for an in-depth analysis of network issues – e.g. DDoS attacks, connection drops, or packet loss.
Info
A PCAP file complements a Network Trace (MTR). While an MTR trace shows the route and packet loss per hop, a PCAP file captures the actual packets at the protocol level.
Prerequisites ​
- VPS with SSH or Remote Desktop access
- tcpdump installed (Linux) or Wireshark installed (Windows)
Linux – tcpdump ​
Installation ​
sudo apt install tcpdump # Debian/Ubuntu
sudo yum install tcpdump # CentOS/RHEL
sudo pacman -S tcpdump # Arch Linuxsudo apt install tcpdump # Debian/Ubuntu
sudo yum install tcpdump # CentOS/RHEL
sudo pacman -S tcpdump # Arch LinuxFind Your Network Interface ​
Before starting a capture, you need to know which network interface your server uses:
sudo tcpdump -Dsudo tcpdump -DCommon interface names are eth0, ens18, or ens192.
Start Capture ​
Recommended Packet Count
We recommend a packet count of 100000 (100,000). This is sufficient in most cases to capture the issue without the file becoming unnecessarily large.
Capture all traffic (100,000 packets):
sudo tcpdump -ni eth0 -s 0 -c 100000 -w capture.pcapsudo tcpdump -ni eth0 -s 0 -c 100000 -w capture.pcapCapture only a specific port:
sudo tcpdump -ni eth0 -s 0 -c 100000 -w capture.pcap port 25565sudo tcpdump -ni eth0 -s 0 -c 100000 -w capture.pcap port 25565Info
Port 25565 in this example is the default port for Minecraft. Replace it with the port of your affected service.
Capture only traffic from/to a specific IP:
sudo tcpdump -ni eth0 -s 0 -c 100000 -w capture.pcap host 123.45.67.89sudo tcpdump -ni eth0 -s 0 -c 100000 -w capture.pcap host 123.45.67.89Combine port and IP:
sudo tcpdump -ni eth0 -s 0 -c 100000 -w capture.pcap host 123.45.67.89 and port 25565sudo tcpdump -ni eth0 -s 0 -c 100000 -w capture.pcap host 123.45.67.89 and port 25565Exclude your own SSH connection (recommended to prevent your session from skewing the capture):
sudo tcpdump -ni eth0 -s 0 -c 100000 -w capture.pcap not port 22sudo tcpdump -ni eth0 -s 0 -c 100000 -w capture.pcap not port 22Tip
The capture runs until the specified packet count is reached or you stop it manually with Ctrl + C.
Important Parameters Explained ​
| Parameter | Meaning |
|---|---|
-ni eth0 | Select interface, no DNS resolution (faster) |
-s 0 | Capture full packet (no truncation) |
-c 100000 | Automatically stop after 100,000 packets |
-w capture.pcap | Save output to file |
port 25565 | Only traffic on this port |
host 1.2.3.4 | Only traffic from/to this IP |
not port 22 | Exclude SSH traffic |
Windows – Wireshark (tshark) ​
Installation ​
Download Wireshark and install it. The command-line tool tshark is automatically installed alongside it.
List Available Interfaces ​
"C:\Program Files\Wireshark\tshark.exe" -D"C:\Program Files\Wireshark\tshark.exe" -DStart Capture ​
Capture all traffic:
"C:\Program Files\Wireshark\tshark.exe" -i 1 -c 100000 -w C:\capture.pcap"C:\Program Files\Wireshark\tshark.exe" -i 1 -c 100000 -w C:\capture.pcapCapture only a specific port:
"C:\Program Files\Wireshark\tshark.exe" -i 1 -f "port 25565" -c 100000 -w C:\capture.pcap"C:\Program Files\Wireshark\tshark.exe" -i 1 -f "port 25565" -c 100000 -w C:\capture.pcapCapture only traffic from/to a specific IP:
"C:\Program Files\Wireshark\tshark.exe" -i 1 -f "host 123.45.67.89" -c 100000 -w C:\capture.pcap"C:\Program Files\Wireshark\tshark.exe" -i 1 -f "host 123.45.67.89" -c 100000 -w C:\capture.pcapInfo
Replace -i 1 with the number of the desired interface from the -D output.
Compress the File ​
PCAP files can become very large. Compress the file before sending:
Linux:
gzip capture.pcapgzip capture.pcapWindows (PowerShell):
Compress-Archive -Path C:\capture.pcap -DestinationPath C:\capture.zipCompress-Archive -Path C:\capture.pcap -DestinationPath C:\capture.zipSend the Result to Support ​
Include the following information in your support ticket:
- The PCAP file compressed as
.gzor.zip - Date and time of the capture
- Filter used – which port or IP you filtered
- Brief problem description – e.g. DDoS attack, connection drops, lag spikes
- Affected service – which service on which port is affected
Important
- Capture during the issue – a capture without an active problem provides no useful data.
- Use filters – without filters, the file can quickly grow to several gigabytes.
- Exclude SSH – filter out your own SSH traffic (
not port 22) to keep the capture file manageable.