Carbon Black Cloud: Diagnose MacOS Network Issues Using Network Extension Diagnostics
search cancel

Carbon Black Cloud: Diagnose MacOS Network Issues Using Network Extension Diagnostics

book

Article ID: 289300

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

How to Use the Network Extension Diagnostics to diagnose OS or Interoperability issue for MacOS network issues

Environment

  • MacOS: All Supported Versions

Resolution

  1. Uninstall the sensor if installed.
  2. Enable debug-level logging for the content filter framework (OS level)  
    $ sudo sysctl net.cfil.log=7
  3. Download the network extension files as provided on the case by Support.
  4. Install the diagnostic network extension on a system without the sensor installed. 
    $ cd /Applications
$ unzip diagnostic-ne-20211116.zip
  5. Start the diagnostic network extension 
    $ ./test-ne.app/Contents/MacOS/test-ne
  6. Verify the network extension is enabled 
    $ ./test-ne.app/Contents/MacOS/test-ne --status
Status: test-ne
           - enabled:       Yes
           - socket filter: Enabled
           - packet filter: Enabled
           - grade:         1
  7. Attempt to replicate network connectivity or performance issue
    • NOTE: Record if network connectivity issues or performance degradation is seen at this point
  8. Disable the data/socket filter 
    $ ./test-ne.app/Contents/MacOS/test-ne --disable-socket-filter
  9. Verify the data/socket filter is disabled 
    $ ./test-ne.app/Contents/MacOS/test-ne --status
Status: test-ne
           - enabled:       Yes
           - socket filter: Disabled
           - packet filter: Enabled
           - grade:         1
  10. Attempt to replicate network connectivity or performance issue
    • NOTE: Record if network connectivity issues or performance degradation is seen at this point
  11. Disable the packet filter, this will automatically enable the data/socket filter 
    $ ./test-ne.app/Contents/MacOS/test-ne --disable-packet-filter
  12. Verify the packet filter is disabled and the data/socket filter is enabled 
    $ ./test-ne.app/Contents/MacOS/test-ne --status
Status: test-ne
           - enabled:       Yes
           - socket filter: Enabled
           - packet filter: Disabled
           - grade:         1
  13. Verify network connectivity. At this point if the data/socket filter is the problem, the network connectivity or performance issue should be present
    • NOTE: Record if network connectivity issues or performance degradation is seen at this point
  14. Stop the diagnostic network extension 
    $ ./test-ne.app/Contents/MacOS/test-ne --stop
  15. Remove the diagnostic network extension from the system 
    $ rm -r test-ne.app
  16. Reset the logging level for the OS level content filter framework 
    $ sudo sysctl net.cfil.log=3
  17. Perform the following commands, immediately after the above testing, and provide all logs for analysis. 
    $ log collect --last 1h --output <path>
$ system_profiler > sys_profile.log
$ ifconfig -a > ifconfig.log
$ systemextensionsctl list > sysext_list.log
$ ls -al /Applications > app_list.log
$ ps -eaf > proc_list.log
$ set > set_list.log
  18. Bundle the files and upload them to the CBVault 
    $ tar czf diagnostic-files.tar.gz *
Powered by Wolken Software