This step by step guide will show you how to record a packet capture or pcap for our SOC team.
Ensure tcpdump is installed, if it's not install it from your operating systems package manager.
For Debian/Ubuntu: apt install tcpdump
For CentOS: yum install tcpdump
Determine what your primary NIC alias is, run: ip a or ifconfig
Here we can see it's enp1s0f0, in most cases it will simply be primary if using our standard installs.
While under attack, and only while under attack.
Launch the command: tcpdump -s 0 -i <INTERFACE NAME FROM ABOVE (e.g. enp1s0f0)> -w attack.pcap
Let this run for at least 30 seconds, then stop it with the key combo Ctrl+C
Download the attack.pcap off your server.
Reply to the ticket attaching the packet capture, you can upload the packet capture to Google Drive or another safe file sharing service and include the download link in your reply, if it's too large for our ticketing system.