Analyzing "POST" HTTP requests from ProxySG, with SSL Inspection involves.
Article ID: 233898
Updated On:
Products
Issue/Introduction
Analyzing "POST" HTTP requests from ProxySG, with SSL Inspection involves.
Resolution
Yes. It is possible to analyze the "POST" HTTP requests in a PCAP, if they were generated.
There are various methods for reviewing packet capture related information from the proxy appliance:
- View packet capture statistics by navigating to https://ProxySG_IP_address:8082/PCAP/Statistics. This page can start, stop, download a packet capture and obtain various stats.
- View packet capture data through the Management Console by going to Maintenance > Service Information > Packet Capture, and clicking the "Show statistics" button.
- View Packet capture data through the CLI using the following command:
SGOS# pcap info
To analyze captured packet data, use a tool that reads Packet Sniffer Pro 1.1 files, such as Wireshark or Packet Sniffer Pro 3.0.
Wireshark can be downloaded for free at https://www.wireshark.org/.
Irrespective of the chosen approach, to analyze "POST" HTTP requests, the filter, below, should be utilized, in Wireshark.
http.request.method == "POST"
For HTTP2, use http2.headers.method == "POST" in the Wireshark filter.
If, indeed, a POST request was generated, packets with the "POST" request will be seen in the capture.
For collecting the PCAP on the ProxySG appliance, utilize filters that reflect the source and destination of the traffic of interest. Remember to use the "ip host xx.xx.xx.xx", for the use of IP addresses, and "host example.com", for non-IP hosts. When more than one filters are used, separate them with the use of "or".
Now, with SSL, we recommend to use secure ICAP. For guidance, please refer to the tech. docs. with URLs below.
https://knowledge.broadcom.com/external/article/170462/configuring-secure-icap-by-importing-cer.html
Feedback
