How to Capture Network Traffic Between Two Systems Using Tcpdump/WinDump Tool

To capture traffic between Mule and a different system, you might need to install and run a piece of software on the same computer that's running Mule. Once the capture files have been created, you should compress (zip) the capture files before attaching them to your support case.
Please, follow the instructions for the platform on which Mule is running.
Note: in all cases it is recommended to compress capture files with gzip after finishing the capture.

Linux / Unix:

The software for packet capture is called tcpdump. You can install it through your system's package manager.
You can use it to capture all the traffic through a network interface to a file:

sudo tcpdump -i <interface> -s0 -vv -w <capture_file>

Examples:

• Simple capture:

$ sudo tcpdump -i eth0 -s0 -vv -w capture.cap

            To finish the capture press Control-C.

• If you want to capture only traffic to a specific host you can add the host parameter:

$ sudo tcpdump -i eth0 -s0 -vv -w /tmp/capture.cap -n host 192.168.1.121

• To capture only traffic on a single port:

$ sudo tcpdump -i eth0 -s0 -vv -w capture.cap -n port 80

• To capture traffic to a host and a port:  (Kindly test it on the testing server before executing it on the PROD server)

$ sudo tcpdump -i eth0 -s0 -vv -w capture.cap -n 'host 192.168.1.121 and port 80'
$ nohup sudo tcpdump -i eth0 -s0 -vv -C 256 -W 10 -w capture.pcap -n 'host <IP> and port <port>' > tcpdump.out 2>&1 &
$ nohup sudo tcpdump -i eth0 -s0 -vv -C 256 -W 10 -w capture.pcap -n 'host <IP> and port <port>' &
$ nohup sudo tcpdump -i any -s0 -vv -C 256 -W 10 -w capture.pcap -Z <username> -n 'host <IP> and port <port>'  &

• To capture with rotating capture by interval

$ sudo tcpdump -i eth0 -s0 -vv -G 3600 -w 'capture-%y_%m_%d_%H_%M_%S'.pcap -Z root

           (-G is seconds between rotation, -Z is root user and this flag resolves permission denied error while creating new files)

• To capture with rotating capture by file size

$ sudo tcpdump -i any -s0 -vv -C 10 -W 50 -w capture.pcap

            (-C is size of capture file, -W is number of rollover files)

• Unattended captures

            NOTE: For unattended captures we strongly recommend to set maximum file size and a number of rollover files

$ sudo tcpdump -i eth0 -s0 -vv  -C 10 -W 5 -w capture.cap -n host 192.168.1.1 > out.txt 2>&1

• Capture the first N bytes of packet (if detailed information is not needed). Below is example for first 64 bytes:

$ sudo tcpdump -i any host www.google.com -s 64

For more complex filters please refer to tcpdump documentation.

MacOS

TcpDump is installed by default with MacOS 10.4 and greater. You can use it in the same way as in other Unixes:

sudo tcpdump -i <interface> -s0 -vv -w <capture_file>

Example:

$ sudo tcpdump -i eth0 -s0 -vv -w capture.cap

Windows

Using the UI on Windows

If you prefer using a graphical interface, you can use Wireshark (link).
Here is a simple guide from the official website to getting started on the packet capture.

As mentioned in the following link:
"The Wireshark installer includes Npcap which is required for packet capture."

https://www.wireshark.org/docs/wsug_html_chunked/ChBuildInstallWinInstall.html#:~:text=The%20Wireshark%20installer%20includes%20Npcap,download.html%20and%20execute%20it.

According to https://npcap.com/:
"Npcap is the Nmap Project's packet capture (and sending) library for Microsoft Windows."
"Npcap began in 2013 as some improvements to the (now discontinued) WinPcap library, but has been largely rewritten since then with hundreds of releases improving Npcap's speed, portability, security, and efficiency."

Using the command line

You will need to download two installers. One is a special driver which allows the capture of network traffic using WinPCap. Once you have installed WinPcap, download WinDump.
Copy windump.exe to your Windows directory so that it is in the path. Once you have installed windump, open a command window and use the same syntax as before:

windump -s0 -vv -w capture-file.cap

WinDump will automatically capture traffic on the first network interface it finds. If you need to select a different interface, use "windump -D" to see all your system's network adapters and then use the name with the "-i" switch.
Example:

c:\> windump -i \Device\NPF_{B1CCEB2C-5112-4650-BD1C-D29C4E8CF844} -s0 -vv -w capture.cap

In all cases, you can interrupt the capture with Control-C.