How to perform a Packet Capture on Content Analysis (CA or CAS)
Article ID: 168557
Updated On:
Products
Content Analysis Software
ISG Content Analysis
Issue/Introduction
Gathering Packet Captures is a very reliable tool for deep network-level diagnosis. There are solutions inside a PCAP that can't be seen using any other diagnostic method. For this reason, Customer Support will often request a Packet Capture, even when there may not be an obvious reason.
Resolution
First, navigate to the Packet Capture page on the CA by pointing your browser at Utilities > Packet Capture where you'll be taken to the page represented in Image 1:
The first box is for adding any filtering you wish to use. The syntax is "Berkeley Style", such as, "tcp" if you only wish to see TCP traffic. Another one which may be asked for by Blue Coat Customer Support, would be to filter based on ICAP traffic:
Another possibility would be to filter against one SG and only ICAP traffic. In this example, the system isn't configured to use Secure ICAP traffic:
Of course there are cases where you may leave the "Filter" unused so all traffic is captured.
In the next field you enter the length of your PCAP in seconds.
In most cases capturing more than 10 or 15 seconds is overkill, unless the problem occurs at random times rather than specific times which can be planned for. In those cases, determine if there's any pattern to events by checking logs, then limit the capture to a reasonable amount of time.
As you can guess, unfiltered Packet Captures will contain everything that went across the pipe during the length of the capture that isn't bypassed.
Image 1, Content Analysis Packet Capture
The first box is for adding any filtering you wish to use. The syntax is "Berkeley Style", such as, "tcp" if you only wish to see TCP traffic. Another one which may be asked for by Blue Coat Customer Support, would be to filter based on ICAP traffic:
port 1344 or port 11344
Another possibility would be to filter against one SG and only ICAP traffic. In this example, the system isn't configured to use Secure ICAP traffic:
port 1344 and host 10.31.19.100
Of course there are cases where you may leave the "Filter" unused so all traffic is captured.
In the next field you enter the length of your PCAP in seconds.
In most cases capturing more than 10 or 15 seconds is overkill, unless the problem occurs at random times rather than specific times which can be planned for. In those cases, determine if there's any pattern to events by checking logs, then limit the capture to a reasonable amount of time.
As you can guess, unfiltered Packet Captures will contain everything that went across the pipe during the length of the capture that isn't bypassed.
Workaround
Not applicable
Attachments
Feedback
Yes
No
Powered by
