Bluecoat packet captures for troubleshooting Edge SWG and Advanced Secure Gateway
search cancel

Bluecoat packet captures for troubleshooting Edge SWG and Advanced Secure Gateway

book

Article ID: 167108

calendar_today

Updated On:

Products

ProxySG Software - SGOS Advanced Secure Gateway Software - ASG

Issue/Introduction

Packet captures (PCAPs) can highlight failure points when dealing with issues in Edge SWG (formerly ProxySG) and Advanced Secure Gateway (ASG) appliances. They can also confirm if vital services such as DNS, authentication, and ICAP are working correctly.

Resolution

You can create a packet capture from either the HTTPS web console or the command-line interface (CLI). Here's how you do it:

Table of Contents

Web console

You can use the web console to make a capture filter and gather the needed traffic data.

Getting started

Start by using your test client's Source Machine IP and the Destination IPs or resolved domain names of the relevant Internet sites. Resolve the IP based on the type of proxy you're using:

  • If using Transparent Proxy, resolve the IP on the client machine.
  • If using Explicit Proxy, resolve the IP through the Proxy CLI using the command:

    proxy#test dns example.com

For example, to ensure capturing both downstream (Client > Proxy) and upstream (Proxy > Server) conversations, you can create a filter where the client IP is 10.x.x.x, and the site is http://example.com with a resolved IP of 93.x.x.x.

ip host 10.x.x.x or ip host 93.x.x.x or host example.com

For multiple destinations, such as adding example.com, add to the filter:

ip host 10.x.x.x or ip host 93.x.x.x or ip host 104.x.x.x or host example.com

Note: The filter for example.com is done by DNS lookup and will capture all IPs in the response. There can be different resolutions for example.com, www.example.com, and also example1.com, and can affect what the filter will capture.

If you need to use a network subnet (CIDR notation required):

ip host 10.x.x.x or net 93.x.x.x/24

If you need to filter on an application port:  Example: dns:53 or ICAP: 1344

port 53 or port 1344

Starting the packet capture

Begin the capture just as you're about to reproduce the issue to minimize irrelevant data in the capture, making the review easier.

  1. Go to Maintenance > Service Information > Packet Capture > Start.
  2. Test the Internet site(s) or reproduce the issue.
  3. Stop the packet capture. Go to Maintenance > Service Information > Packet Capture > Stop.
  4. Download the packet capture log. Go to Maintenance > Service Information > Packet Capture > Download.
  5. Upload the log to your case.

CLI

You can also create a capture filter in the CLI to gather traffic data.

Getting started

Like with the web console, start with the test client's Source Machine IP and the Destination IPs of the involved Internet sites. Resolve the IP based on the type of proxy you're using:

  • If using Transparent Proxy, resolve the IP on the client machine.
  • If using Explicit Proxy, resolve the IP through the Proxy CLI using the command:

    test dns example.com

For example, here's a filter where the client IP is 10.x.x.x, and the site is http://example.com with a resolved IP of 93.x.x.x. This ensures that the packet capture has both downstream (Client > Proxy) and upstream (Proxy > Server) conversations.

SGOS# pcap filter expr "ip host 10.x.x.x or ip host 93.x.x.x or host example.com"

For multiple destinations, such as adding example.com with a resolved IP of 104.x.x.x, add to the filter:

SGOS# pcap filter expr "ip host 10.x.x.x or ip host 93.x.x.x or ip host 104.x.x.x"

Starting the packet capture

  1. Run the following commands:

    SGOS# pcap start
    SGOS# pcap stop

  2. If the GUI is unavailable to download the file, use one of the following options:
    • Upload to an FTP server on the CLI using the command:

      SGOS# pcap transfer ftp://x.x.x.x/path/filename.cap ftpuser ftppassword

    • Upload the log to your case using a Service Request Number.

Note: The capture buffer on the appliance can contain a maximum of 100 MB of data by default, around 500000 packets worth, in a production environment.

Rolling Packet Capture

For intermittent issues, consider starting a rolling packet capture. It records the latest traffic and overwrites older data. Stop the packet capture once the issue occurs.

Analyzing and Uploading the Packet Capture

After downloading the packet capture, you can use Wireshark for analysis. If you're working on a support case, you might need to upload the capture to Broadcom.

While creating a case with Broadcom support, if your appliance has internet access, you can upload the packet capture directly.

To upload the capture:

  1. Go to Maintenance > Service Information > Send Information > Send Service Information (tab).
  2. Provide the SR# (Service Request Number).
  3. Check the box for Packet Capture.
  4. Click Send.

We may also require a Policy Trace, Sysinfo, and Event Log. Collect these before uploading your files.

By following these steps, you can troubleshoot issues effectively using packet captures.

Powered by Wolken Software