How to create a packet capture for DDoS Traffic analysis

Introduction

This guide will help you create a pcap (packet capture) file using tcpdump, a powerful command-line packet analyzer. This file will be used by our support team to investigate potential DDoS attacks.

Prerequisites

Access to the Server during the attack: Depending on the type of attack you might not be able to access the server via SSH, ensure you can access the server via the console (on VPS services) or IPMI (on dedicated servers).

1. Install tcpdump

Most Linux distributions come with tcpdump pre-installed. If it's not installed, you can install it using your package manager.

For Ubuntu/Debian:

sudo apt update
sudo apt install tcpdump

For Alma/Rocky/RHEL:

sudo yum install tcpdump

2. Capture Traffic and Save to a pcap File

To capture traffic and save it to a file, use the -w option followed by the filename. For example:

sudo tcpdump -w capture.pcap

Ensure the tcpdump command is only running during an attack.

To stop the packet capture simply press ctrl + c

3. Verify the Capture File

You can verify that the capture file was created and contains data using tcpdump itself:

tcpdump -r capture.pcap

4. Downloading the pcap File

To download the pcap file you can connect to the server using sFTP, once connected you will find the pcap file inside the same directory you ran the command.

5. Uploading the pcap File

Once you have the pcap file, you can send this to our support team by upload it to a file sharing platform or via email.

Conclusion

Following these steps will help you create a pcap file using tcpdump, enabling our support team to analyze the traffic and investigate potential DDoS attacks. If you encounter any issues or need further assistance, please contact our support team.

Updated on: 04/07/2024