Steve Borba

My notes, I hope they help you, feel free to comment/add to them

Troubleshooting Filter

Here is a quick filter when you start troubleshooting with someone and pretty much all they know is their name (change the start time):

( receive_time geq '2018/12/21 12:00:00' ) and user.src eq sborba and ( !action eq allow or (proto eq tcp and !session_end_reason eq tcp-fin ) or ((proto eq icmp or proto eq udp) and !session_end_reason eq aged-out ) or !subtype eq end or bytes_received eq 0 )

but you could also change user.src to addr.src, sometimes it is good to include include the addr.dst, but that might get rid of the clue you needed.
when you see sessions that do not have any packets recieved, the pack was dropped, or the device on the other side doesn’t exist/respond.
When you see aged out, they could be that the client lost connection (power went out?), but it could also mean that the session time out is too short for that application and it doesn’t have a keep-alive built in.
When you see tcp-rst-from-client, that could be the browser closing or the client getting a certificate thumbprint back that it did not expect.
When you see tcp-rst-from-server, that could be the server is not accepting connections, the server has an access-list, the user failed authentication, etc.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>