First, navigate to the Packet Capture page on the CA by pointing your browser at Utilities > Packet Capture where you'll be taken to the page represented in Image 1:
Image 1, Content Analysis Packet Capture
The first box is for adding any filtering you wish to use. The syntax is "Berkeley Style", such as, "tcp" if you only wish to see TCP traffic. Another one which may be asked for by Blue Coat Customer Support, would be to filter based on ICAP traffic:
port 1344 or port 11344
Another possibility would be to filter against one SG and only ICAP traffic. In this example, the system isn't configured to use Secure ICAP traffic:
port 1344 and host 192.168.100.1
Of course there are cases where you may leave the "Filter" unused so all traffic is captured.
In the next field you enter the length of your PCAP in seconds.
In most cases capturing more than 10 or 15 seconds is overkill, unless the problem occurs at random times rather than specific times which can be planned for. In those cases, determine if there's any pattern to events by checking logs, then limit the capture to a reasonable amount of time.
As you can guess, unfiltered Packet Captures will contain everything that went across the pipe during the length of the capture that isn't bypassed.