When capturing data to identify a problem, I find that the PCAP fills up quickly because my network is very busy. What capture filters can I use to gather just the information I'm interested in when taking packet captures on my ProxySG, ASG, or ISG appliance?

The default packet capture file size is 100MB, but can be increase to allow capture of up to 3% of the available system memory at startup (not to exceed 4GB). Increasing the buffer capacity of the capture file is done manually each time and cannot be set to automatically capture more than the default for future captures. Instructions on modifying the buffer size can be found in KB Article: 168795

Consider the following when examining proxied traffic in a packet capture:

• When a client requests an object that is not in the proxy's cache, there are at least two TCP requests that need to happen. The first is a client to proxy TCP session, and the second is a Proxy to OCS (origin content server) session.
• The proxy may spawn other UDP (e.g. DNS/RDNS) and/or TCP sessions (e.g. authentication, ICAP with request modification) before a request can be sent to the OCS. A proxy that uses ICAP response or request modification could also spawn a TCP session to a configured ICAP server as well. You could include the port and/or IP addresses of these services on capture filter if needed. However, you may want to verify health (Health Check) on these services for obvious problems before taking packet captures.  

Most common PCAP filters to use on a ProxySG appliance: 

Capture Traffic by Client IP: ip host x.x.x.x  Where x.x.x.x is the IP address of the client initiating the request.

Capture client IP address, or destination IP of Origin Content Server or DNS requests:  ip host x.x.x.x || ip host y.y.y.y || port 53  where x.x.x.x is the IP address of the client who initiated the request and y.y.y.y is the IP address of the origin content server.

Capture client IP address or request for a specific domain: ip host x.x.x.x || host www.example.com  where x.x.x.x is the IP address of the client who initiated the request and www.example.com is the domain the user is has requested.

Capture native FTP issue: port ftp || port ftp-data 

Capture multicast packet to troubleshoot a ProxySG appliance failover deployment:  ip multicast

Capture from all traffic from a specific network from LAN: src net 192.168.3.16/28 This will capture traffic for all IPs on the 192.18.3.16 netmask 255.255.255.240 network.

You can use Wireshark or your preferred packet analyzer to view packet capture taken from Blue Coat/Symantec proxies.