Packet captures (PCAPs) can highlight failure points when dealing with issues in Edge SWG (formerly ProxySG) and Advanced Secure Gateway (ASG) appliances. They can also confirm if vital services such as DNS, authentication, and ICAP are working correctly.
You can create a packet capture from either the HTTPS web console or the command-line interface (CLI). Here's how you do it:
You can use the web console to make a capture filter and gather the needed traffic data.
Start by using your test client's Source Machine IP and the Destination IPs or resolved domain names of the relevant Internet sites. Resolve the IP based on the type of proxy you're using:
proxy#test dns example.com
For example, to ensure capturing both downstream (Client > Proxy) and upstream (Proxy > Server) conversations, you can create a filter where the client IP is 10.x.x.x, and the site is http://example.com with a resolved IP of 93.x.x.x.
ip host 10.x.x.x or ip host 93.x.x.x or host example.com
For multiple destinations, such as adding example.com, add to the filter:
10.x.x.x or ip host
93.x.x.x or ip host 104.x.x.x or host example.com
Note: The filter for example.com is done by DNS lookup and will capture all IPs in the response. There can be different resolutions for example.com, www.example.com, and also example1.com, and can affect what the filter will capture.
If you need to use a network subnet (CIDR notation required):
10.x.x.x or net
If you need to filter on an application port: Example: dns:53 or ICAP: 1344
port 53 or port 1344
Begin the capture just as you're about to reproduce the issue to minimize irrelevant data in the capture, making the review easier.
You can also create a capture filter in the CLI to gather traffic data.
Like with the web console, start with the test client's Source Machine IP and the Destination IPs of the involved Internet sites. Resolve the IP based on the type of proxy you're using:
test dns example.com
For example, here's a filter where the client IP is 10.x.x.x, and the site is http://example.com with a resolved IP of 93.x.x.x. This ensures that the packet capture has both downstream (Client > Proxy) and upstream (Proxy > Server) conversations.
SGOS# pcap filter expr "ip host 10.x.
x.x or ip host 93.x.x.x or host example.com"
For multiple destinations, such as adding example.com with a resolved IP of 104.x.x.x, add to the filter:
SGOS# pcap filter expr "ip host 10.x.x.x or ip host 93.x.x.x or ip host 104.x.x.x"
SGOS# pcap start
SGOS# pcap stop
SGOS# pcap transfer ftp://x.x.x.x/path/filename.cap ftpuser ftppassword
Note: The capture buffer on the appliance can contain a maximum of 100 MB of data by default, around 500000 packets worth, in a production environment.
For intermittent issues, consider starting a rolling packet capture. It records the latest traffic and overwrites older data. Stop the packet capture once the issue occurs.
After downloading the packet capture, you can use Wireshark for analysis. If you're working on a support case, you might need to upload the capture to Broadcom.
While creating a case with Broadcom support, if your appliance has internet access, you can upload the packet capture directly.
To upload the capture:
We may also require a Policy Trace, Sysinfo, and Event Log. Collect these before uploading your files.
By following these steps, you can troubleshoot issues effectively using packet captures.