It happens to all of us, some weird random problem that happens after-hours or some especially whiny end user. It'd be a hell of a lot easier if you had a historical capture of the data within that timeframe right? Well, if you have a shitty desktop or laptop with a non-flash based HDD (more room typically) you can make that happen.
1.SPAN, RSPAN or ERSPAN (or a hub but that's a bad idea long term) the port or traffic to your laptop using the Googles (you want a port in the path of the affected user or their port)
https://ccie-or-null.net/2011/04/04/configure-span-session/
- Setup dumpcap
https://www.youtube.com/watch?v=WJM9wSR8PVM
- Review those sweet, sweet PCAPs around the timeframe and begin to correlate what's happening in your infrastructure around that timeframe.
4: ???
5: Profit
Edit: Add a second NIC to be able to manage the box, or you won't be able to get to it as a SPAN destination.
No comments:
Post a Comment