VLAN Filter On ProxySG PCAP Does Not Capture Both Sides Of The Conversation
Last Updated May 31, 2018
VLAN 100: LAN side tagging Client IP: 10.9.8.7 Proxy IP: 10.1.1.1
Proxy Filter Examples: vlan 100 or ip host 10.9.8.7 - captures client to ProxySG requests, but no ProxySG responses ip host 10.9.8.7 or vlan 100 - captures client requests and ProxySG responses
So why does the order matter? Once the VLAN token is present in the conversation, any subsequent filter(s) only applies to vlan packets.
vlan 100 or ip host 10.9.8.7 - captures all VLAN packets with VLAN ID equal to 100 or VLAN packets with IP equal to 10.9.8.7 ip host 10.9.8.7 or vlan 100 - captures all packets with IP equal to 10.9.8.7 or VLAN packets with VLAN ID equal to 100
With the filter (vlan 100 or ip host 10.9.8.7), client side traffic arriving at the ProxySG is VLAN-Tagged (VLAN 100) and hence will be captured with the first filter. Return packets from theProxySG are not tagged and thus not a VLAN packet so the second filter will not record it.
This is normal and the behaviour identical to TCPDump. In order to capture both client side requests and ProxySG responses, reorder the filter as such.
ip host 10.9.8.7 or vlan 100
Imported Document ID: 000032382
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe