What are the Most Common PCAP Filters I Can Use on a CacheFlow or ProxySG Appliance?

book

Article ID: 167176

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG CacheFlow Appliance Software ProxySG Software - SGOS

Issue/Introduction

When capturing data to identify a problem, I find that the PCAP fills up quickly because my network is very busy. What capture filters can I use to gather just the information I'm interested in when taking packet captures on my CacheFlow or ProxySG / ASG appliance?

 

Resolution

Although an unfiltered packet capture is ideal to provide complete Layer 2, Layer 3, and Layer 4 communication during an investigation using packet captures, a very busy proxy could fill up the 100 MB buffer in less than 10 seconds, and may not capture the problem when troubleshooting.  Capture fillers help when troubleshooting in this situation.    

Consider the following when examining proxied traffic in a packet capture:

  • When a client requests an object that is not in the proxy's cache, there are at least two TCP requests that need to happen.  The first is a client to proxy TCP session, and the second is a Proxy to OCS (origin content server) session.
  • The proxy may spawn other UDP (e.g. DNS/RDNS) and/or TCP sessions (e.g. authentication, ICAP with request modification) before a request can be sent to the OCS.   A proxy that uses ICAP response or request modification could also spawn a TCP session to a configured ICAP server as well.   You could include the port and/or IP addresses of these services on capture filter if needed.   However, you may want to verify health (Health Check) on these services for obvious problems before taking packet captures.  
  • If you are running WCCP / GRE, please refer to the KB article TECH241738 (FAQ727)


Most common PCAP filters to use on a ProxySG appliance: 

Capture Traffic by Client IP: 
ip host x.x.x.x  Where x.x.x.x is the IP address of the client initiating the request.

Capture client IP address, or destination IP of Origin Content Server or DNS requests:  ip host x.x.x.x || ip host y.y.y.y || port 53  where x.x.x.x is the IP address of the client who initiated the request and y.y.y.y is the IP address of the origin content server.

Capture client IP address or request for a specific domain: ip host x.x.x.x || host www.example.com  where x.x.x.x is the IP address of the client who initiated the request and www.example.com is the domain the user is has requested.

Capture native FTP issue: port ftp || port ftp-data 

Capture multicast packet to troubleshoot a ProxySG appliance failover deployment:  ip multicast

Capture from all traffic from a specific network from LAN: src net 192.168.3.16/28 This will capture traffic for all IPs on the 192.18.3.16 netmask 255.255.255.240 network.

You can use wireshark (www.wireshark.org) or your preferred packet analyzer to view packet capture taken from Blue Coat proxies.