How to perform a Packet Capture on Content Analysis (CA or CAS)

book

Article ID: 168557

calendar_today

Updated On:

Products

Mobile App Risk Detection Content Analysis Software - CA

Issue/Introduction

Gathering Packet Captures is a very reliable tool for deep network-level diagnosis. There are solutions inside a PCAP that can't be seen using any other diagnostic method. For this reason, Customer Support will often request a Packet Capture, even when there may not be an obvious reason.

 

Resolution

First, navigate to the Packet Capture page on the CA by pointing your browser at Utilities > Packet Capture where you'll be taken to the page represented in Image 1:
CA Packet Capture page in the administration UI
Image 1, Content Analysis Packet Capture

The first box is for adding any filtering you wish to use. The syntax is "Berkeley Style", such as, "tcp" if you only wish to see TCP traffic. Another one which may be asked for by Blue Coat Customer Support, would be to filter based on ICAP traffic:
 
port 1344 or port 11344

Another possibility would be to filter against one SG and only ICAP traffic. In this example, the system isn't configured to use Secure ICAP traffic:
 
port 1344 and host 10.31.19.100

Of course there are cases where you may leave the "Filter" unused so all traffic is captured. 

In the next field you enter the length of your PCAP in seconds.

In most cases capturing more than 10 or 15 seconds is overkill, unless the problem occurs at random times rather than specific times which can be planned for. In those cases, determine if there's any pattern to events by checking logs, then limit the capture to a reasonable amount of time.

As you can guess, unfiltered Packet Captures will contain everything that went across the pipe during the length of the capture that isn't bypassed.

Workaround

Not applicable

Attachments