Here is a quick little command line that you can use to capture all the DNS traffic seen by the analyzer:

tshark -n -i 5 -R ” dns.flags.response == 0″

Just replace the “-i 5″ with the appropriate interface for your analyzer. You can find out the interface numbers by using the following command:

tshark -D

If you want to get fancy, pipe this to a text file, or use a program such as klog.exe to send it to syslog. We have used this this in combination with Splunk to keep track of all the DNS queries. Splunk allows us to search the queries for specific data patterns. Great way to see when people are going, without a fancy proxy server.

Sometimes the most difficult part of isolating a network problem is getting a good capture.  With Fluke Networks new Series III OptiView, we can capture at full line rate Gig and setup free string filters.  However, none of this does us any good if we can’t stop the trace before the problem packets roll out of the buffer.

We have created a short video showing how to use the new Series III to allow the person experiencing the problem to stop the trace.  Check out this video and see how to configure the OptiView to implement triggers.  Even if you don’t have a Series III, it is worth seeing what this instrument can do.

Click here to view the Trigger video

We have created a new group on Linkedin called Protocol Analysis and Troubleshooting.

Click to join the group

Here is a video showing how to get started capturing packets with Wireshark. There will be more to come!

Click to watch the video

It is not easy to capture the right packets at the right time. So, in many cases, it is better to capture all of the packets all of the time and just look at those that were going across the wire at the time of the problem.

Read the rest of this entry »