Saving a PCAP via Serial Console / CLI Without Internet Access


Article ID: 170696


Updated On:


ProxySG Software - SGOS


You want to download a PCAP from a proxy to a local machine with only serial console, and no internet access.


It is possible to save a PCAP in this situation by making use of PuTTY's logging feature. We can display the base64 encoded PCAP at the command line, logging and then converting this output to a wireshark viewable PCAP in Notepad++.

First, set up logging as below:

Make sure that it is set to log printable output only.

Then, connect to the serial console, and output the base64 encoded PCAP:

proxy> en
proxy# show advanced-url /PCAP/bluecoat.cap base64

Scroll through all of the output, and exit the console once it has finished to prevent any further changes to the log while modifying it.

Open the log in Notepad++, and remove all lines except for the base64 encoded PCAP:

In this example, remove all but line 6.

Once the other lines are removed, we need to remove the "--More--" that the proxy outputted during the logging. Replace (Ctrl+H) all instances of "--More--        " with "". That is, delete all instances of --More-- followed by 8 spaces.

Finally, we need to decode the base64. In Notepad++, highlight the remaining text, and choose: Plugins > MIME Tools > Base64 Decode, from the menu.

The file should now look like this:

Save this as a .pcap file, and you will be able to open it in wireshark.