VLAN Filter On ProxySG PCAP Does Not Capture Both Sides Of The Conversation

Article Id: 169197

Status: Published

Updated On: 31-05-2018 12:01

Legacy Id: TECH246045

Products:

ProxySG Software - SGOS

Issue/Introduction:

Scenario:

VLAN 100: LAN side tagging
Client IP: 10.9.8.7
Proxy IP: 10.1.1.1

Proxy Filter Examples:
vlan 100 or ip host 10.9.8.7 - captures client to ProxySG requests, but no ProxySG responses
ip host 10.9.8.7 or vlan 100 - captures client requests and ProxySG responses

Cause:

So why does the order matter? Once the VLAN token is present in the conversation, any subsequent filter(s) only applies to vlan packets.

vlan 100 or ip host 10.9.8.7 - captures all VLAN packets with VLAN ID equal to 100 or VLAN packets with IP equal to 10.9.8.7
ip host 10.9.8.7 or vlan 100 - captures all packets with IP equal to 10.9.8.7 or VLAN packets with VLAN ID equal to 100

With the filter (vlan 100 or ip host 10.9.8.7), client side traffic arriving at the ProxySG is VLAN-Tagged (VLAN 100) and hence will be captured with the first filter. Return packets from theProxySG are not tagged and thus not a VLAN packet so the second filter will not record it.

Resolution:

This is normal and the behaviour identical to TCPDump. In order to capture both client side requests and ProxySG responses, reorder the filter as such.

ip host 10.9.8.7 or vlan 100