The internet connectivity on my network has recently been disrupted by a DDOS attack. My firewall logs UDP floods coming to our IP address that faces the world when we are on the net. This then causes our internet to fail completely. I work at a school where a lot of the students have their own devices. Im pretty sure that the attack is being initiated from within our network maybe using a program or proxy of some sort that comes back and floods that IP from a number of different IPs.
What I want is to monitor is the network programs that are being run on devices connected to our network. I was thinking that I could use wireshark on the network to capture all of the traffic during an attack. What I dont know is what kinds of traffic to filter for withing wireshark. We have spanning tree enabled on the network devices so wireshark should work just fine.