Using packet capture for ProxySG and Advanced Secure Gateway (ASG) troubleshooting

book

Article ID: 167108

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

Using packet capture (PCAP) is essential for most Symantec ProxySG and Symantec Advanced Secure Gateway (ASG) troubleshooting.

Packet capture is a quick, easy way to find the point of failure and check the workings of dependent services, such as DNS, authentication, and ICAP.

Resolution

You can run a simple packet capture from the https web console or command line interface (CLI).

Web console

  1. Create a filter to capture the traffic. Symantec recommends that you use the Test client Source Machine IP and Destination IPs of the Internet sites in question.

    For example, here's a filter where the client IP is 10.4.50.32, and the site is http://example.com with a resolved IP of 93.184.216.34 (resolve the IP on the client machine if in Transparent Proxy; if in Explicit Proxy, resolve the IP through the Proxy CLI using the command: test dns example.com). This ensures that the packet capture has both downstream and upstream conversations.

    host 10.4.50.32 or host 93.184.216.34

    If you are doing more than one destination, such as adding example.com, just add on the filter:

    host 10.4.50.32 or host 93.184.216.34 or host 104.154.170.133 or host example.com

    The filter for example.com is done by DNS lookup and will capture all IPs in the response. It is not by GET since SYN packets are captured before the GET is received. Because of this there can be different resolutions to example.com and www.example.com, and also example1.com can show up if it resolves to the same IP. This affects what the filter will capture.

    If you need to use a network subnet (CIDR notation required):

    host 10.4.20.32 or net 93.184.216.0/24
     
  2. Start a packet capture. In the ProxySG Management Console, navigate to Maintenance > Service Information > Packet Capture > Start.
  3. Test the Internet site(s) or reproduce the issue as necessary.
  4. Stop the packet capture log. In the ProxySG Management Console, navigate to Maintenance > Service Information > Packet Capture > Stop.
  5. If you need to upload the log to a case for review by Symantec Support, see:
  6. Download the packet capture log. In the ProxySG Management Console, navigate to Maintenance > Service Information > Packet Capture > Download.

CLI

  1. Create a filter to capture the traffic. Symantec recommends that you use the Test client Source Machine IP and Destination IPs of the Internet sites in question.

    For example, here's a Filter where the client IP is 10.4.50.32, and the site is http://example.com with a resolved IP of 93.184.216.34 (resolve the IP on the client machine if in Transparent Proxy; if in Explicit Proxy, resolve the IP through the Proxy CLI using the command: test dns example.com). This ensures that the packet capture has both downstream and upstream conversations.

    SGOS# pcap filter expr "ip host 10.4.50.32 or ip host 93.184.216.34"

    If you are doing more than one destination, such as adding example.com with a resolved IP of 104.154.170.133, just add on the filter

    SGOS# pcap filter expr "ip host 10.4.50.32 or ip host 93.184216.34 or ip host 104.154.170.133"
  2. Run the following commands:

    SGOS# pcap start
    SGOS# pcap stop

  3. If the GUI is unavailable to download the file, you have a couple of options:
The capture buffer on the SG can contain a maximum of 100 MB of data by default, around 500000 packets worth, so in a production environment.

Rolling packet capture

To start a rolling packet capture and catch intermittent issues, leave the packet capture running (it overwrites itself), and stop it when the issue occurs, to catch the most recent traffic. See Setting Rolling Packet Capture with increased size limit on ProxySG and Advanced Secure Gateway

Analyze the packet capture

Once you download the packet capture, you can use Wireshark to analyze it. If needed, you can also upload this to an open case with Symantec.