ProxySG pcap filter for protocols does not work.

book

Article ID: 166830

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

When setting a filter like "ip proto icmp" or "ether proto arp", from the command line or from the management console, the ProxySG rejects the filter. The error message looks like:

SG - Blue Coat SG200 Series#pcap filter direction both interface all expr "ip proto tcp"
% Filter error: % "ip proto tcp" %
Column 9: Parse error 192.168.1.161 - Blue Coat SG200 Series#
 

Resolution

The ProxySG requires the protocol to be double escaped.

For example, if you wanted to filter on ICMP, on the management console you would enter for the filtering expression:

ip proto \\icmp

and from the CLI you would enter the filter like:

SG - Blue Coat SG200 Series#pcap filter expr "ip proto \\icmp"
 

Alternatively, you can use the hexadecimal or decimal service number like:

ip proto 0x1

for ICMP.

IP protocol services are:

  • 0x1 - ICMP
  • 0x6 - TCP
  • 0x11 - UDP

or in decimal:

  • 1 - ICMP
  • 6 - TCP
  • 17 - UDP

Similarly, for ethernet. If you want to filter for arp, you would put in the filter string in the management console:

ether proto \\arp

or via CLI:

SG - Blue Coat SG200 Series#pcap filter expr "ether proto \\arp"

Again, you can use the hexadecimal or decimal services for ethernet:

  • 0x0800 IP(v4), Internet Protocol version 4
  • 0x0806 ARP, Address Resolution Protocol
  • 0x8035 RARP, Reverse Address Resolution Protocol