How to perform a Packet Capture on Content Analysis (CA or CAS)
search cancel

How to perform a Packet Capture on Content Analysis (CA or CAS)


Article ID: 168557


Updated On:


Content Analysis Software ISG Content Analysis


Gathering Packet Captures is a very reliable tool for deep network-level diagnosis. There are solutions inside a PCAP that can't be seen using any other diagnostic method. For this reason, Customer Support will often request a Packet Capture, even when there may not be an obvious reason.



First, navigate to the Packet Capture page on the CA by pointing your browser at Utilities > Packet Capture where you'll be taken to the page represented in Image 1:
CA Packet Capture page in the administration UI
Image 1, Content Analysis Packet Capture

The first box is for adding any filtering you wish to use. The syntax is "Berkeley Style", such as, "tcp" if you only wish to see TCP traffic. Another one which may be asked for by Blue Coat Customer Support, would be to filter based on ICAP traffic:
port 1344 or port 11344

Another possibility would be to filter against one SG and only ICAP traffic. In this example, the system isn't configured to use Secure ICAP traffic:
port 1344 and host

Of course there are cases where you may leave the "Filter" unused so all traffic is captured. 

In the next field you enter the length of your PCAP in seconds.

In most cases capturing more than 10 or 15 seconds is overkill, unless the problem occurs at random times rather than specific times which can be planned for. In those cases, determine if there's any pattern to events by checking logs, then limit the capture to a reasonable amount of time.

As you can guess, unfiltered Packet Captures will contain everything that went across the pipe during the length of the capture that isn't bypassed.


Not applicable