Traffic Capture Feature on NIOS GUI
by Thomas Lee, Technical Marketing Engineer at Infoblox
You are a network engineer and you have been asked to troubleshoot a DNS issue involving an Infoblox DNS appliance. First you determine if you can ping the DNS server from your workstation and/or the user’s workstation. If yes, then you know the network path to the DNS server is fine.
If the problem has to do with the answers coming back from the DNS servers, then you have to perform a packet capture or look at the syslog. If you decide to do a packet capture, you could configure port mirroring on any switch that is in the data path to the DNS server. This takes time and you need to be local to the switch.
What if you can capture data on the Infoblox appliance? Sound good? With an Infoblox DDI appliance you can perform a packet capture.
Instructions for configuring packet capture:
1. Log into the GUI.
2. Navigate to Grid --> Grid Manager --> Members --> Toolbar --> Traffic Capture.
3. Click on Traffic Capture on the lower right side of the screen.
4. You will need to add a member in which to capture packets. Click on the ‘+’ button to do so.
5. Select a member by double-clicking on it.
6. Click on the Interface drop down menu to select the interface to capture traffic. If you do not, the packets captured will not have any source or destination MAC address information in the display of the packet.
7. Click on the ‘play’ button to start the packet capture
8. At this point you can close this window and go make any changes on the GUI and then reinvoke the packet capture screen. The packet capture will still run until the duration time of 1800 seconds or stopped before the end of the duration by hitting the ‘stop’ button.
9. Click on the member and then click on the ‘Download’ button to download the capture file. The file will be in a .tar.gz format. Uncompressing the file and the name will be traffic<number>.cap. You can now import this file into Wireshark to view.
10. Here is a screenshot of the Wireshark screen. The fully qualified domain name (ie FQDN) that was queried was www.cnn.com. As you can see there is some recursion going on between 10.60.22.233 and 22.214.171.124 to get the answer. The DNS server at 10.60.22.233 will cache www.cnn.com so that it will answer the query within the TTL time of the www.cnn.com entry.