Edge SWG (ProxySG) supports packet capture filtering using the Berkeley Packet Filter.

Filtering traffic in an environment that includes VLAN tags in Ethernet frames may result in unexpected results such as; unidirectional captures, uncaptured bypassed traffic frames, or missing TCP control packets ( SYN, ACK, RST ).

Example Scenario

Environment

• Frames are tagged with the non-native VLAN 100
• The endpoint machine IP address is 10.9.8.7
• The Edge SWG (ProxySG) IP address is 10.1.1.1
• You would like to capture all traffic for the endpoint machine IP

Filtering 

The filter ip host 10.9.8.7 only captures frames that do not include the VLAN tag in the packet details for this IP address.

The filter vlan 100 or ip host 10.9.8.7 only captures frames that do include the VLAN tag in the packet details for this IP address.

The filter ip host 10.9.8.7 or vlan 100 captures frames that do not include the VLAN tag in the packet details for this IP address. It also captures all frames with the VLAN tag for any source or destination IP.

The switch port is configured with VLAN trunking to send non-native VLAN-tagged frames to the Edge SWG (ProxySG).

The Berkeley Packet Filter is implemented such that the vlan filter assumes any subsequent expression is for a VLAN packet and any expression preceding it is for a non-VLAN packet. Including more instances of the vlan tag applies this logic in a nested fashion.

Note  Edge SWG (ProxySG) supports VLAN offloading functions that affect whether or not the VLAN tag information is contained in the frame at the time of filtering.

Filter traffic for the VLAN using the following format:

(<expression filter>) or (vlan <id> and (<expression filter>))

Example