Wireshark is the correct answer because it is widely used for packet capture and analysis, allowing the analyst to observe the data being transmitted to and from the server in question. This can help in determining the nature of the traffic and whether it is indeed malicious. tcpdump could also capture the traffic but lacks the comprehensive analysis features found in Wireshark, making it less suitable for deeper investigation in this scenario. SNMP is a management protocol used for network management and monitoring devices on IP networks, not for packet analysis. WHOIS is used for querying databases to obtain information about the registration of domain names and IP addresses, which might be a subsequent step but not the primary tool for capturing and analyzing live traffic.