1. Accessing and capturing the packets

The first step in setting up the IOTA to capture packets is to configure the capture ports in in-line mode. Login to the IOTA and turn off SPAN mode which puts it in in-line mode.

Place the IOTA 1G inline between the client PC and the rest of the network. The IOTA 1G supports full line rate and full duplex gigabit traffic. Not only will it capture the traffic, but the TAP is fault tolerant. Therefore, if the IOTA loses power for any reason, it will continue to pass packets between the computer and the rest of the network. 

After placing the IOTA in line, press the button to start capturing all the packets. With IOTA, all the data can be stored for a long period of time. This is important to successfully resolve intermittent problems, because it is difficult to detect when the problem's going to occur and a small capture buffer will reduce time window as well. IOTA also has a 1TB SSD drive built in. For a typical computer, this means, that the data can be captured for days or weeks without losing any data. As the packets are captured, the IOTA is writing them to files and storing metadata about each flow in a searchable database.

2. Fast issue identification

In the past, the person having this issue would need to write down the date and time when the problem occurred. This was very unreliable. A better way to mark the capture to show when the problem occurs is to put a shortcut on desktop that will send a ping packet each time the person having the issue clicks on it, go back later and search the captured packets for the ping to find out when the problem occurred. 

3. Drill-down to the packet marker

Let's look at how to find the marker and extract the packets to analyze them in Wireshark. Just start looking at a 24-hour period would result in a lot of captured data. By setting a filter on the IP address of the marker frame, you will be able to find the marker packet and see exactly when the client clicked on the shortcut. Using the mouse to zoom in 10 minutes before and 10 minutes after the marker, will allow you to see what happened before and after the problem occurred.

Afterwards, remove the marker filter and set a filter on the IP address of the device having problems. This is as easy as clicking on the magnifying glass next to the IP address. When done correctly, you will have only a 110MB of traffic going across the network during that time period. Clicking on download pcap will extract those packets to and from the problem PC during the time period to your computer.

4. Analyze the captured packets in Wireshark

Next, open the trace file up in Wireshark by applying an IP address filter to the trace file, you will find the market packet. In this case, the first marker occurred at frame 22069. This is where you should start looking in the trace file. Click on the frame and remove the filter to see all the traffic the IOTA captured between the client computer and the rest of the network. It’s just a matter of digging through the trace before the marker to find the issue. 

IOTA helps to get to the root of intermittent problems by getting in the path of the packets capturing at full line rate, providing an easy means to filter down on problem packets and making it easy to extract those packets for network traffic analysis. For more detailed explanation, you can also watch this use case as a video on Profitap Academy.