Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: How to Collect Diagnostic Logs for Sensor Communication issues (Windows)

EDR: How to Collect Diagnostic Logs for Sensor Communication issues (Windows)


  • EDR Server: All Versions
  • EDR Sensor: All Versions
  • Microsoft Windows: All Supported Versions


How to Collect Diagnostics for Sensor Connection and Communication Issues:
  • Sensor fails to register
  • Sensor does not show in the console
  • Sensor no longer connects


  1. Download and install wireshark to capture a trace on the affected machine.
  2. Start a wireshark trace
    • Select the Interface the connection should be using on the welcome page
    • If sensor port has been modified Go to Edit > Preferences > Protocols > HTTP and add the SSL/TLS port (comma delimited)
    • Do not add any filters
    • Select the Shark Fin at the top left to begin the capture
  3. Open CMD as admin and run the following command a few times to force a checkin attempt
    sc control carbonblack 200
  4. Stop the Wireshark trace with red box on the top left and save as <hostname>.pcapng
  5. Collect sensor diagnostics
  6. Send server diagnostics, for clustered environments please send master and minions. Run this command via terminal/ssh. (Support will collect this for Cloud Customers)
    /usr/share/cb/cbdiag --post
  7. Upload the Wireshark trace and Sensor diagnostics to CBVault
  8. Provide the following information to the case and let the support engineer know the logs have been uploaded:
    1) Is this a newly installed sensor?
    2) Is the endpoint up to date on the latest Windows Updates?
    3) Is the connection going through a proxy? What is the proxy address for troubleshooting?
    4) What is the IP address of the Sensor and Server?

Additional Notes

Related Content

Labels (2)
Tags (3)
Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Creation Date: