Analyzing packet captures obtained from a ProxySG
Article ID: 165357
Updated On:
Products
Issue/Introduction
You have collected Packet Capture from ProxySG while reproducing the issue.
You want to analyze captured data in order to isolate the issue.
What protocol analyzer can I use to analyze a packet capture (pcap) obtained from a ProxySG?
Resolution
There are various methods for reviewing packet capture related information from the proxy appliance:
- View packet capture statistics by navigating to https://ProxySG_IP_address:8082/PCAP/Statistics. This page can start, stop, download a packet capture and obtain various stats.
- View packet capture data through the Management Console by going to Maintenance > Service Information > Packet Capture, and clicking the "Show statistics" button.
- View Packet capture data through the CLI using the following command:
SGOS# pcap info
To analyze captured packet data, use a tool that reads Packet Sniffer Pro 1.1 files, such as Wireshark or Packet Sniffer Pro 3.0.
Wireshark can be downloaded for free at https://www.wireshark.org/ .
Additional Information:
Here are several helpful Wireshark filters:
|
Filter |
Brief Description |
|
http.request || http.response |
Displays all HTTP request and response packets |
|
http.request.full_uri |
Displays all packet that contain a full request URI/URL |
|
ssl.handshake |
Displays SSL handshake packets (client hello, server hello, client key exchange, change cipher spec, etc..) |
|
dns.time>.5 |
Displays DNS delays greater than .5 seconds |
|
http.request.method == "POST" |
Displays all post requests (can be modified for other requests such as “HEAD”) |
|
ntlmssp.messagetype == 0x00000003 |
Displays all packet with the NTLM Auth message ( NTLMSSP_AUTH). Used to help track NTLM authentication requests/conversations |
|
ntlmssp |
Displays all NTLM packets |
|
tcp.dstport == 3389 and tcp.flags.syn==1 |
Displays RDP packets |
Feedback
