How to Collect Diagnostics for Sensor Connection and Communication Issues:

• Sensor fails to register
• Sensor does not show in the console
• Sensor no longer connects
• Sensor shows as offline
• Sensor checks in but no events being sent to EDR console

• EDR Server: All Versions
• EDR Sensor: All Versions
• Microsoft Windows: All Supported Versions
• Linux: All Supported Versions
• macOS: All Supported Versions

Step 1: Collect sensor connection diagnostics

WINDOWS SENSORS

1. 1. 1. Download and install Wireshark to capture a trace on the affected machine. https://www.wireshark.org
      2. Start a wireshark trace
         • Select the Interface the connection should be using on the welcome page
         • If sensor port has been modified Go to Edit > Preferences > Protocols > HTTP and add the SSL/TLS port (comma delimited)
         • Do not add any filters
         • Select the Shark Fin at the top left to begin the capture
      3. Open CMD as admin and run the following command a few times to force a checkin attempt

         sc control carbonblack 200

      4. Stop the Wireshark trace with red box on the top left and save as <hostname>.pcapng
      5. Collect sensor diagnostics
         • Separate steps for tamper-protected endpoints or legacy sensor versions
      6. Upload both the Wireshark capture and the sensor diagnostics to the support case

macOS SENSORS

1. 1. 1. Determine the PID of the Carbon Black EDR sensor:

         • ps -ax | grep CbOsxSensorService

      2. Start the communications log dump by issuing the following command:

         • sudo kill -s USR2 <pid of CbOsxSensorService>

      3. Collect a log dump and upload this to the support case

LINUX SENSORS

1. 1. 1. Run this command on an affected machine as root or super user (Replacing <EDR_Server_IP> with your Host IP):

         • sudo tcpdump port 443 host <EDR_Server_IP> -w /tmp/EDR_sensor_connection.pcap

      2. If tcpdump tool is not available in RedHat based Linux:

         • yum install tcpdump

      3. Initiate an Immediate Linux Sensor Force Check-in to the EDR Server, issue this command inside the terminal as root and sending the SIGUSR1 signal (via su):

         • sudo kill -n 10 $(pidof cbdaemon)

      4. Stop the tcpdump capture (ctrl+c) and collect the packet capture
      5. Initiate a Linux Sensor Diagnostic Data by issuing this command:

         • sudo /opt/carbonblack/response/bin/sensordiag.sh

      6. Upload the Tcpdump capture and Sensor diagnostics to the case

Step 2: Collect Server Diagnostics (CBdiags)

1. 1. 1. Send server diagnostics, for clustered environments please send master and minions. Run this command via terminal/ssh. (Support will collect this for Hosted EDR Customers)

         • /usr/share/cb/cbdiag --post

      2. Upload all collected Sensor diagnostics, the CBdiags and additional logs (tcpdump, Wireshark) to the case

Step 3: Provide the following information to the case and let the support engineer know the logs have been uploaded:

1. 1. 1. Is this a newly installed sensor?
      2. Is the connection going through a proxy? What is the proxy address for troubleshooting?
      3. What is the IP address of the Sensor and Server?
      4. (Windows) Is the endpoint up to date on the latest Windows Updates?
      5. (Linux) If required, have the kernel headers been installed?
      6. (macOS) Have the pre-requisites (full disk access, network extensions, kernel extensions) been configured?
      7. What is the license expiration date on the console?

• EDR: What are the common sensor communication error messages? (HRESULT)
• HRESULT errors can be found in the SensorComms.log
• Common causes of connection issues:
  • SSL Inspection (unsupported)
  • Misconfigured Proxy
  • Misconfigured Firewall
  • Misconfigured VDI support
  • Sensor Service is not running
  • Custom WebUI port is being and not the Sensor Comm port