In some cases, it's useful to be able to capture the traffic between the Collector and the Engine either to find out if there's a communication issue or for the Collector Team to be able to check what data the Collector is sending to the Engine from a given source. This data is encrypted and only the Collector Team will be able to open the output.
So, how can I capture the traffic between the Collector and the Engine?
Capture the traffic for a specific Source by entering the following command on the Appliance hosting the Engine, after connecting to it using the command line interface (CLI): Start capturing the traffic with the following command (from the Engine Appliance's side):CODE
sudo tcpdump -i any "src DeviceIPAddress and udp port 999" -w engine.pcap -s 0
Please note that you must replace DeviceIPAddress with the IP address of the Device which has the issue.
Restart the collector or the endpoint.
Wait 30 min to be sure we'll have enough packets to analyze.
In case the SSH connection drops or you cannot stay connected to the Appliance CLI during the traffic capture time period, you can get back the session you had by using the screen. In order to do that, connect to the CLI and use the following command:CODE
The above command will list all the active sessions. To connect to the one you opened, use the following command (and replace with the number of the session you want to connect to):CODE
Go back to the Engine CLI window and press CTRL+C to stop the capture.
Provide us the following file by attaching them to a ticket: In the Engine, you should have the engine.pcap file located in the home directory of the Nexthink user.