Using tcpdump will get it for you. example command
Code:
tcpdump -w 0001.pcap -s0 -vi interfacename dst YourServerIP
0001.pcap would be the name of the file written with tcpdump data interfacename would be the name of the network interface you are using and of coarse YourServerIP would be the IP address your server is using.
During a attack you would only need to run it for a max of 30 seconds to get a good sample. then to read the file after the sample is taken do
Code:
tcpdump -r filename
https://www.comparitech.com/net-admi...p-cheat-sheet/