Using packet captures - Quick start guide


<< Back to Knowledge Search

Solution

Overview

Using the packet capture facility is essential for most troubleshooting, it is a quick, easy way to find the point of failure and check the working of dependant services, such as DNS, authentication and icap. Once you have used the below tips to get the capture file, you will need Wireshark to analyse it.

Cause
Resolution

1- Running a simple capture from the https Web console or CLI:

 
Web console:
 
Start a packet capture via the Management Console > Maintenance > Service information > Packet Capture > Start
Test the internet site(s) or reproduce the issue as necessary.
Stop the packet capture Log Management Console > Maintenance > Service information > Packet Capture > Stop
And download the file as *.pcap or *.cap
 
CLI:
 
SGOS# pcap start
SGOS# pcap stop
If you cannot access the https GUI to download the file, the only option is to upload to an FTP server on the CLI:
SGOS# pcap transfer ftp://x.x.x.x/path/filename.cap ftpuser ftppassword
 
2- Running a capture with filters.  The capture buffer on the SG can contain a maximum of 100Mb of data, around 500000 packets worth, so in a production environment, it may be necessary to capture only relevant data using filters:
 
Web console:
 
Maintenance > Service information > pcaps > filter. 
In the filter field, enter the following without brackets:
host <clients ip> || host <server/website ip or hostname> || host <ip of the dns server> || host <ip of the authentication server or bcaaa> || host <ip of the icap server if in use>
 
Here is an example for an explicit client 10.20.5.5 going to https://kb.bluecoat.com: host 10.20.5.5 || host kb.bluecoat.com
 
Another example for the same host going to www.bluecoat.com: host 10.20.5.5 || host www.bluecoat.com
 
Start a packet capture via Management Console > Maintenance > Service information > Packet Capture > Start
Test the internet site(s) or reproduce the issue as necessary.
Stop the packet capture Log Management Console > Maintenance > Service information > Packet Capture > Stop
 
 
CLI:
 
SGOS# pcap filter expr "host <clients ip> || <server ip or hostname>"
SGOS# pcap start
SGOS# pcap stop
 
 
3- Starting a rolling pcap, to catch intermittent issues - leave the pcap running, so that it overwrites itself, and stop it when the issue occurs, to catch the most recent traffic:
 
Web console:
 
Maintenance > Service information > Packet Capture > Start > Buffering > Capture last: matching packets (max 1000,000)  or last matching Kbytes (max 102,400)
 
CLI:
 
SGOS# pcap start last count 500000 (for packets)
SGOS# pcap start last capsize 5000000 (for Kbytes)
 
Once you have downloaded the capture, you are ready to use Wireshark to analyse it.  Please see the section "Task 4: Analyse the packet capture data" in KB4827 for tips on capture analysis with Wireshark.
 
There is some overlap with these related articles:
 
KB4827 - Troubleshooting web pages that do not load or load incompletely
 
FAQ1486 - How do I capture a packet from a certain network or subnet with the ProxySG Packet Capture Facility?
 
KB1497 - Creating a packet capture filter
 
KB4698 - How to use Wireshark to capture a packet trace as part of troubleshooting a network/connectivity issue.
 
FAQ1464 - How do I capture only TCP Control packets with the ProxySG Packet Capture Facility?
Workaround
Additional Information
Bug Number
InQuira Doc IdKB4873
Attachment

Article Feedback

Hide Properties
First Published      10/01/2014
Last Modified      10/01/2014
Last Published      10/01/2014
Article Audience
Product      ProxySG
Article Number      000014464
Summary     
Was this helpful?
Comments:
 
Previous MonthNext Month
SunMonTueWedThuFriSat