The internet connectivity on my network has recently been disrupted by a DDOS attack. My firewall logs UDP floods coming to our IP address that faces the world when we are on the net. This then causes our internet to fail completely. I work at a school where a lot of the students have their own devices. Im pretty sure that the attack is being initiated from within our network maybe using a program or proxy of some sort that comes back and floods that IP from a number of different IPs.
What I want is to monitor is the network programs that are being run on devices connected to our network. I was thinking that I could use wireshark on the network to capture all of the traffic during an attack. What I dont know is what kinds of traffic to filter for withing wireshark. We have spanning tree enabled on the network devices so wireshark should work just fine.
Any suggestions would be appreciated