In one embodiment, a method is performed. A device comprising a non-transitory memory and a processor coupled to the non-transitory memory may be in communication with a plurality of network devices. The device may detect an anomaly in a detected sequence of events occurring during a connectivity process for establishing a connection between a first network device and a second network device of the plurality of network devices. The anomaly may comprise a difference between the detected sequence of events and a predetermined sequence of events. The device may determine whether the anomaly satisfies a criterion for triggering a packet capture operation. If so, the device may cause at least one of the first network device or the second network device to capture at least one target packet.