When you suspect an issue is related to a network problem, and the issue can be reproduced or can be seen frequently, please use the following steps to collect packet capture for further analysis:
- SSH to IMSVA and login with root account.
- Run the tcpdump command:
tcpdump -i eth0 -s0 -w /var/app_data/troubleShootingIMSVA.pcap
- Replace "eth0" in the command above if your IMSVA is using other port as IMSVA data port.
- To avoid generating too huge packet capture file, or if the issue doesn't show up in an hour, please contact Trend Micro Support to get a more fine-tuned command line for your IMSVA's issue.
- For details on tcpdump command usage, refer to this article which contains options to help you narrow down the capture scope.
- Reproduce the issue or wait for the issue to re-occur. It is better to enable the debug log from the web UI before reproducing the issue, so debug logs can be collected in the meantime.
- Once the issue is reproduced, press key combination CTRL + C to stop the packet capture.
- Compress the pcap file using the following command:
tar cvzf /var/app_data/pcap.tar.gz /var/app_data/troubleShootingIMSVA.pcap
- Collect /var/app_data/pcap.tar.gz with scp command or tools like WinSCP.
- Export the debug files from the web UI so you can cross-reference the debug logs and packet capture to efficiently troubleshoot network issues.