Infoblox Exchange Cybersecurity Roadshow 2020 – Join us!
North America | Europe | Middle East/Africa | Asia-Pacific

Community Blog

jul-16.jpg

Traffic Capture Feature on NIOS GUI

by Thomas Lee, Technical Marketing Engineer at Infoblox

 

Summary

You are a network engineer and you have been asked to troubleshoot a DNS issue involving an Infoblox DNS appliance.  First you determine if you can ping the DNS server from your workstation and/or the user’s workstation.  If yes, then you know the network path to the DNS server is fine. 

 

If the problem has to do with the answers coming back from the DNS servers, then you have to perform a packet capture or look at the syslog.  If you decide to do a packet capture, you could configure port mirroring on any switch that is in the data path to the DNS server.  This takes time and you need to be local to the switch.

 

What if you can capture data on the Infoblox appliance?  Sound good?  With an Infoblox DDI appliance you can perform a packet capture.

 

Instructions for configuring packet capture:

 

1. Log into the GUI.

2. Navigate to Grid --> Grid Manager --> Members --> Toolbar --> Traffic Capture.

traffic 1.png

 

3. Click on Traffic Capture on the lower right side of the screen.

traffic 2.png

 

4. You will need to add a member in which to capture packets.  Click on the ‘+’ button to do so.

traffic 3.png

 

5. Select a member by double-clicking on it. 

traffic 4.png

 

6. Click on the Interface drop down menu to select the interface to capture traffic.  If you do not, the packets captured will not have any source or destination MAC address information in the display of the packet.

traffic 5.png

 

 7. Click on the ‘play’ button to start the packet capture

traffic 6.png

 

8. At this point you can close this window and go make any changes on the GUI and then reinvoke the packet capture screen.  The packet capture will still run until the duration time of 1800 seconds or stopped before the end of the duration by hitting the ‘stop’ button.

traffic 7.png

 

9. Click on the member and then click on the ‘Download’ button to download the capture file. The file will be in a .tar.gz format.  Uncompressing the file and the name will be traffic<number>.cap.  You can now import this file into Wireshark to view.

 

10. Here is a screenshot of the Wireshark screen.  The fully qualified domain name (ie FQDN) that was queried was www.cnn.com.  As you can see there is some recursion going on between 10.60.22.233 and 52.119.40.100 to get the answer. The DNS server at 10.60.22.233 will cache www.cnn.com so that it will answer the query within the TTL time of the www.cnn.com entry.

traffic 8.png

Showing results for 
Search instead for 
Do you mean 

Demo: Infoblox IPAM plug-in integration with OpenStack Newton