Environment
- EDR Server: All Versions
- EDR Sensor: All Versions
- Microsoft Windows: All Supported Versions
Objective
How to Collect Diagnostics for Sensor Connection and Communication Issues:
- Sensor fails to register
- Sensor does not show in the console
- Sensor no longer connects
Resolution
- Download and install wireshark to capture a trace on the affected machine. https://www.wireshark.org
- Start a wireshark trace
- Select the Interface the connection should be using on the welcome page
- If sensor port has been modified Go to Edit > Preferences > Protocols > HTTP and add the SSL/TLS port (comma delimited)
- Do not add any filters
- Select the Shark Fin at the top left to begin the capture
- Open CMD as admin and run the following command a few times to force a checkin attempt
sc control carbonblack 200
- Stop the Wireshark trace with red box on the top left and save as <hostname>.pcapng
- Collect sensor diagnostics
- Send server diagnostics, for clustered environments please send master and minions. Run this command via terminal/ssh. (Support will collect this for Cloud Customers)
/usr/share/cb/cbdiag --post
- Upload the Wireshark trace and Sensor diagnostics to CBVault
- Provide the following information to the case and let the support engineer know the logs have been uploaded:
1) Is this a newly installed sensor?
2) Is the endpoint up to date on the latest Windows Updates?
3) Is the connection going through a proxy? What is the proxy address for troubleshooting?
4) What is the IP address of the Sensor and Server?
Additional Notes
Related Content