This must be done from the edge device that is under attack. If the edge device lacks capture abilities (tshark, Wireshark, etc.) that can be done remotely, you're going to need physical access to the device.
Tshark (*nix)
- Run the following command from cli: <code>tshark -ni <inbound interface> -w /tmp/<filename>.cap</code> File name can be anything, but preferably date and instance number of the capture.
- After 500-1000 packets are captured, close the tshark session with Ctrl-C
- Copy file off of edge device to a computer that can run Wireshark.
Wireshark
- Open Wireshark and start a new session after selecting the appropriate inbound interface.
- After 500-100 packets are captured, stop the capture and save the session. As stated above, the file name can be anything, but preferably date and instance number of the capture.
Adtran AOS
Other options if local/physical access is available
- Hardware based capture device
- ARP poisoning (May or may not be an option based on legality & hardware compatability)
Using monitoring programs such as rflow, NTop, etc.