Solutions

Using packet captures - Quick start guide

Solutions ID:    KB4873
Version:    1.0
Status:    Published
Published date:    01/18/2012
 

Problem Description

Using the packet capture facility is essential for most troubleshooting, it is a quick, easy way to find the point of failure and check the working of dependant services, such as DNS, authentication and icap.  Once you have used the below tips to get the capture file, you will need Wireshark to analyse it.

Resolution

1- Running a simple capture from the https Web console or CLI:

 

Web console:

Start a packet capture via the Management Console > Maintenance > Service information > Packet Capture > Start

Test the internet site(s) or reproduce the issue as necessary.

Stop the packet capture Log Management Console > Maintenance > Service information > Packet Capture > Stop

And download the file as *.pcap or *.cap

 

CLI:

SGOS# pcap start

SGOS# pcap stop

If you cannot access the https GUI to download the file, the only option is to upload to an FTP server on the CLI:

SGOS# pcap transfer ftp://x.x.x.x/path/filename.cap ftpuser ftppassword

 

2- Running a capture with filters.  The capture buffer on the SG can contain a maximum of 100Mb of data, around 500000 packets worth, so in a production environment, it may be necessary to capture only relevant data using filters:

 

Web console:

Maintenance > Service information > pcaps > filter.
In the filter field, enter the following without brackets:

host <clients ip> || host <server/website ip or hostname> || host <ip of the dns server> || host <ip of the authentication server or bcaaa> || host <ip of the icap server if in use>

Here is an example for an explicit client 10.20.5.5 going to https://kb.bluecoat.com:

host 10.20.5.5 || host kb.bluecoat.com

Another example for the same host going to www.bluecoat.com

host 10.20.5.5 || host www.bluecoat.com



Start a packet capture via Management Console > Maintenance > Service information > Packet Capture > Start

Test the internet site(s) or reproduce the issue as necessary.

Stop the packet capture Log Management Console > Maintenance > Service information > Packet Capture > Stop
 

CLI:

SGOS# pcap filter expr "host <clients ip> || <server ip or hostname>"

SGOS# pcap start

SGOS# pcap stop

 

3- Starting a rolling pcap, to catch intermittent issues - leave the pcap running, so that it overwrites itself, and stop it when the issue occurs, to catch the most recent traffic:

Web console:

Maintenance > Service information > Packet Capture > Start > Buffering > Capture last: matching packets (max 1000,000)  or last matching Kbytes (max 102,400)

 

CLI:

SGOS# pcap start last count 500000 (for packets)

SGOS# pcap start last capsize 5000000 (for Kbytes)

 

Once you have downloaded the capture, you are ready to use Wireshark to analyse it.  Please see the section "Task 4: Analyse the packet capture data" in KB4827 for tips on capture analysis with Wireshark.

 

There is some overlap with these related articles:

KB4827 - Troubleshooting web pages that do not load or load incompletely

FAQ1486 - How do I capture a packet from a certain network or subnet with the ProxySG Packet Capture Facility?

KB1497 - Creating a packet capture filter

KB4698 - How to use Wireshark to capture a packet trace as part of troubleshooting a network/connectivity issue.

FAQ1464 - How do I capture only TCP Control packets with the ProxySG Packet Capture Facility?


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question