search cancel

Collect data for Web Traffic Redirection support cases

book

Article ID: 175237

calendar_today

Updated On:

Products

Endpoint Protection Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Use the following steps to gather the debugging information necessary for in-depth troubleshooting of the Symantec Endpoint Protection (SEP) client Web Traffic Redirection (WTR) feature. The data gathered by these steps is sufficient to troubleshoot most WTR related issues when working with Symantec support.

Environment

Microsoft Windows
Apple macOS

Resolution

Data Gathering Process

To troubleshoot issues with the SEP client WTR feature, gather the following from the affected client(s):

  1. Version(s) of the affeced SEP client(s)
  2. Version(s) of Web Traffic Redirection Engine content
  3. Detailed description of the problem
  4. Collect the following data while reproducing the problem (Start the logging before reproducing the problem, and stop after the problem is fully rerproduced):
    1. Debug logging from the SEP client's WTR engine
    2. Wireshark packet captures from the loopback and physical interfaces
    3. ProcessMonitor (ProcMon) logs, if applicable

See the sections below for a list of the tools needed to perform these data gatering steps.

Windows client data gathering tools

On the Windows client, you will need to capture Process Monitor (ProcMon) trace logs, Windows Preprocessor (WPP) Verbose logging and a packet capture (pcap).

Tool When to use How-To
ProcMon Whenever there is a problem with SEP, or its sub-services starting, making system changes (i.e. setting regkeys, installing the WSS certificate, etc.). Refer to Process Monitor for standard log and for bootlog
WPP Verbose For all SEP for Windows WTR scenarios, WPP Verbose logging should be collected. Refer to How to collect Verbose WPP logs for Endpoint Protection with the SymDiag Utility
  • Be sure to click Advanced once debug logging for Endpoint Protection Client is checked.
  • Then change the Trace Level drop-down from Information to Verbose.
  • To reduce file size, you can also select only the NTR Provider ID
Packet Capture When troubleshooting web traffic request issues.
  1. Download and install Wireshark and npcap* 
  2. Launch Wireshark and select both the Npcap Loopback Adapter and the primary network interface used for web traffic (e.g. Ethernet)
  3. Start the pcap trace and reproduce the issue
  4. Save the pcap trace with the pcapng file format

*npcap is necessary to capture traffic on the local loopback adapter on Windows. The latest release of Wireshark for Windows includes npcap, instead of winpcap.

macOS client data gathering tools

On the macOS client, you will need to capture SymDaemon debug logging and a packet capture to troubleshoot WTR issues.

Tool When to use How-To
SymDaemon debug In all macOS WTR issues, SymDaemon debug logging must be enabled and captured. This will generate to log files, 'smc_debug.log' and 'lps_debug.log'. Refer to Debug SymDaemon on the Endpoint Protection Macintosh client
Packet capture When troubleshooting web traffic request issues.
  1. Download and install Wireshark for macOS
  2. Launch Wireshark and select both the Loopback:lo0 adapter as well as the primary network interface used for web traffic (e.g. Ethernet:en0)
  3. Start the pcap trace and reproduce the issue
  4. Save the pcap trace with the pcapng file format

 

Keep in mind that most often it is best to setup all appropriate tools and logging with WTR disabled, then enable it, and reproduce the issue.  This allows Symantec support to capture the complete workflow SEP takes to enable and configure the WTR feature on the local system and trace subsequent web traffic calls.