ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

VLAN Filter On ProxySG PCAP Does Not Capture Both Sides Of The Conversation

book

Article ID: 169197

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Scenario:

VLAN 100: LAN side tagging
Client IP: 10.9.8.7
Proxy IP: 10.1.1.1

 

Proxy Filter Examples:
vlan 100 or ip host 10.9.8.7 - captures client to ProxySG requests, but no ProxySG responses
ip host 10.9.8.7 or vlan 100 - captures client requests and ProxySG responses

Cause

So why does the order matter?  Once the VLAN token is present in the conversation, any subsequent filter(s) only applies to vlan packets.

vlan 100 or ip host 10.9.8.7 - captures all VLAN packets with VLAN ID equal to 100 or VLAN packets with IP equal to 10.9.8.7
ip host 10.9.8.7 or vlan 100 - captures all packets with IP equal to 10.9.8.7 or VLAN packets with VLAN ID equal to 100

With the filter (vlan 100 or ip host 10.9.8.7), client side traffic arriving at the ProxySG is VLAN-Tagged (VLAN 100) and hence will be captured with the first filter.  Return packets from theProxySG are not tagged and thus not a VLAN packet so the second filter will not record it.

Resolution

This is normal and the behaviour identical to TCPDump.  In order to capture both client side requests and ProxySG responses, reorder the filter as such.

ip host 10.9.8.7 or vlan 100

Powered by Wolken Software