Analyzing "POST" HTTP requests from ProxySG, with SSL Inspection involves.
search cancel

Analyzing "POST" HTTP requests from ProxySG, with SSL Inspection involves.

book

Article ID: 233898

calendar_today

Updated On:

Products

ProxySG Software - SGOS Content Analysis Software

Issue/Introduction

Analyzing "POST" HTTP requests from ProxySG, with SSL Inspection involves.

Resolution

Yes. It is possible to analyze the "POST" HTTP requests in a PCAP, if they were generated.

There are various methods for reviewing packet capture related information from the proxy appliance:

  • View packet capture statistics by navigating to https://ProxySG_IP_address:8082/PCAP/Statistics. This page can start, stop, download a packet capture and obtain various stats.                                                                                                                                                                                                                             
  • View packet capture data through the Management Console by going to Maintenance > Service Information > Packet Capture, and clicking the "Show statistics" button.                                                                                                                                                      
  • View Packet capture data through the CLI using the following command:

     SGOS# pcap info

To analyze captured packet data, use a tool that reads Packet Sniffer Pro 1.1 files, such as Wireshark or Packet Sniffer Pro 3.0.  

Wireshark can be downloaded for free at https://www.wireshark.org/.

Irrespective of the chosen approach, to analyze "POST" HTTP requests, the filter, below, should be utilized, in Wireshark.

http.request.method == "POST"

For HTTP2, use http2.headers.method == "POST" in the Wireshark filter.

If, indeed, a POST request was generated, packets with the "POST" request will be seen in the capture.

For collecting the PCAP on the ProxySG appliance, utilize filters that reflect the source and destination of the traffic of interest. Remember to use the "ip host xx.xx.xx.xx", for the use of IP addresses, and "host example.com", for non-IP hosts. When more than one filters are used, separate them with the use of "or".

Now, with SSL, we recommend to use secure ICAP. For guidance, please refer to the tech. docs. with URLs below.

https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/content-analysis/3-0/sg-introduction/communication/secure_icap.html

https://knowledge.broadcom.com/external/article/170462/configuring-secure-icap-by-importing-cer.html