Analyzing packet captures obtained from a ProxySG
search cancel

Analyzing packet captures obtained from a ProxySG


Article ID: 165357


Updated On:


ProxySG Software - SGOS


You have collected Packet Capture from ProxySG while reproducing the issue.

You want to analyze captured data in order to isolate the issue.

What protocol analyzer can I use to analyze a packet capture (pcap) obtained from a ProxySG?


There are various methods for reviewing packet capture related information from the proxy appliance:

  • View packet capture statistics by navigating to https://ProxySG_IP_address:8082/PCAP/Statistics. This page can start, stop, download a packet capture and obtain various stats.                                                                                                                                                                                                                             
  • View packet capture data through the Management Console by going to Maintenance > Service Information > Packet Capture, and clicking the "Show statistics" button.                                                                                                                                                      
  • View Packet capture data through the CLI using the following command:

      SGOS# pcap info

To analyze captured packet data, use a tool that reads Packet Sniffer Pro 1.1 files, such as Wireshark or Packet Sniffer Pro 3.0.  

Wireshark can be downloaded for free at .


Additional Information:

Here are several helpful Wireshark filters:


Brief Description

http.request || http.response

Displays all HTTP request and response packets


Displays all packet that contain a full request URI/URL


Displays SSL handshake packets (client hello, server hello, client key exchange, change cipher spec, etc..)


Displays DNS delays greater than .5 seconds

http.request.method == "POST"

Displays all post requests (can be modified for other requests such as “HEAD”)

ntlmssp.messagetype == 0x00000003

Displays all packet with the NTLM Auth message ( NTLMSSP_AUTH). Used to help track NTLM authentication requests/conversations


Displays all NTLM packets

tcp.dstport == 3389 and tcp.flags.syn==1

Displays RDP packets