How do I see the incoming traffic into my VM during the Nmap scan? [closed]

I’m testing this decoy feature from nmap, and pretend to be a bad guy. I will run it against my owned VM.

sudo nmap -sS -sV 142.93.112.115 -D 192.168.0.3,10.0.0.2,172.33.22.1 

If I SSH into my server, wow do I see the incoming traffic into my VM (Ubuntu) during the Nmap scan ?

I’ve tried netstat -plant, and iftop, not so good.

How to defend against network traffic pattern correlation attacks?

If i am chaining multiple VPN’s and possibly running through Tor as well, network correlation attacks can be performed against me to try to locate my position. If my network spikes a download for 40MB/s for 3 secounds, governments with collectors accross the world would be able to see this spike and correlate me with my VPN chains.

Is there a way to defend against this?

I would assume if a tool was made to generate random dummy traffic each at layer of VPNs, then they would not be able to correlate as well. Does such a tool exists?