When capturing data to identify a problem, I find that the PCAP fills up quickly because my network is very busy. What capture filters can I use to gather just the information I'm interested in when taking packet captures on my CacheFlow or ProxySG / ASG appliance?
Although an unfiltered packet capture is ideal to provide complete Layer 2, Layer 3, and Layer 4 communication during an investigation using packet captures, a very busy proxy could fill up the 100 MB buffer in less than 10 seconds, and may not capture the problem when troubleshooting. Capture fillers help when troubleshooting in this situation.
Consider the following when examining proxied traffic in a packet capture:
When a client requests an object that is not in the proxy's cache, there are at least two TCP requests that need to happen. The first is a client to proxy TCP session, and the second is a Proxy to OCS (origin content server) session.
The proxy may spawn other UDP (e.g. DNS/RDNS) and/or TCP sessions (e.g. authentication, ICAP with request modification) before a request can be sent to the OCS. A proxy that uses ICAP response or request modification could also spawn a TCP session to a configured ICAP server as well. You could include the port and/or IP addresses of these services on capture filter if needed. However, you may want to verify health (Health Check) on these services for obvious problems before taking packet captures.
If you are running WCCP / GRE, please refer to the KB article TECH241738 (FAQ727)
Most common PCAP filters to use on a ProxySG appliance:
Capture Traffic by Client IP:ip host x.x.x.x Where x.x.x.x is the IP address of the client initiating the request.
Capture client IP address, or destination IP of Origin Content Server or DNS requests: ip host x.x.x.x || ip host y.y.y.y || port 53where x.x.x.x is the IP address of the client who initiated the request and y.y.y.y is the IP address of the origin content server.
Capture client IP address or request for a specific domain: ip host x.x.x.x || host www.example.com where x.x.x.x is the IP address of the client who initiated the request and www.example.com is the domain the user is has requested.
Capture native FTP issue: port ftp || port ftp-data
Capture multicast packet to troubleshoot a ProxySG appliance failover deployment: ip multicast
Capture from all traffic from a specific network from LAN: src net 192.168.3.16/28 This will capture traffic for all IPs on the 220.127.116.11 netmask 255.255.255.240 network.
You can use wireshark (www.wireshark.org) or your preferred packet analyzer to view packet capture taken from Blue Coat proxies.
Imported Document ID: 000014782
Subscribing will provide email updates when this Article is updated. Login is required.