When setting a filter like "ip proto icmp" or "ether proto arp", from the command line or from the management console, the ProxySG rejects the filter. The error message looks like:
SG - Blue Coat SG200 Series#pcap filter direction both interface all expr "ip proto tcp"
% Filter error: % "ip proto tcp" %
Column 9: Parse error 192.168.1.161 - Blue Coat SG200 Series#
The ProxySG requires the protocol to be double escaped.
For example, if you wanted to filter on ICMP, on the management console you would enter for the filtering expression:
ip proto \\icmp
and from the CLI you would enter the filter like:
SG - Blue Coat SG200 Series#pcap filter expr "ip proto \\icmp"
Alternatively, you can use the hexadecimal or decimal service number like:
ip proto 0x1
IP protocol services are:
or in decimal:
Similarly, for ethernet. If you want to filter for arp, you would put in the filter string in the management console:
ether proto \\arp
or via CLI:
SG - Blue Coat SG200 Series#pcap filter expr "ether proto \\arp"
Again, you can use the hexadecimal or decimal services for ethernet: