Using packet captures for ProxySG and Advanced Secure Gateway (ASG) troubleshooting

book

Article ID: 167108

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Using packet captures (PCAP) are essential for most ProxySG and Advanced Secure Gateway (ASG) troubleshooting.

Packet captures are a quick, easy way to find the point of failure and check the workings of dependent services, such as DNS, authentication, ICAP and so on.

Resolution

You can run a simple packet capture from the HTTPS web console or command-line interface (CLI).

Web console

Create a capture filter to capture the traffic. Support recommends that you use the Test client Source Machine IP and Destination IPs and/or resolved domain names of the Internet sites in question.

For example, here's a filter where the client IP is 10.4.50.32, and the site is http://example.com with a resolved IP of 93.184.216.34 (resolve the IP on the client machine if in Transparent Proxy; if in Explicit Proxy, resolve the IP through the Proxy CLI. (proxy#test dns example.com). This ensures that the packet capture has both downstream (Client > Proxy) and upstream (Proxy > Server) conversations.

    ip host 10.4.50.32 or ip host 93.184.216.34 or host example.com

If you are doing more than one destination, such as adding example.com, just add on the filter:

    ip host 10.4.50.32 or ip host 93.184.216.34 or ip host 104.154.170.133 or host example.com

The filter for example.com is done by DNS lookup and will capture all IPs in the response.
Note: There can be different resolutions for example.com, www.example.com, and also example1.com, and can affect what the filter will capture.

If you need to use a network subnet (CIDR notation required):

   ip host 10.4.20.32 or net 93.184.216.0/24

If you need to filter on an application port:  Example: dns:53 or ICAP: 1344

      port 53 or port 1344

CLI:

  1. Create a capture filter to capture the traffic. Support recommends that you use the Test client Source Machine IP and Destination IPs of the Internet sites in question.

    For example, here's a Filter where the client IP is 10.4.50.32, and the site is http://example.com with a resolved IP of 93.184.216.34 (resolve the IP on the client machine if in Transparent Proxy; if in Explicit Proxy, resolve the IP through the Proxy CLI using the command: test dns example.com). This ensures that the packet capture has both downstream and upstream conversations.

    SGOS# pcap filter expr "ip host 10.4.50.32 or ip host 93.184.216.34 or host example.com"

    If you are doing more than one destination, such as adding example.com with a resolved IP of 104.154.170.133, just add on the filter

    SGOS# pcap filter expr "ip host 10.4.50.32 or ip host 93.184.216.34 or ip host 104.154.170.133"
  2. Run the following commands:

    SGOS# pcap start
    SGOS# pcap stop

  3. If the GUI is unavailable to download the file, you have a couple of options:
The capture buffer on the SG can contain a maximum of 100 MB of data by default, around 500000 packets worth, so in a production environment.

Rolling packet capture

To start a rolling packet capture and catch intermittent issues, leave the packet capture running (it overwrites itself), and stop it when the issue occurs, to catch the most recent traffic. See Setting Rolling Packet Capture with increased size limit on ProxySG and Advanced Secure Gateway

Analyze the packet capture

Once you download the packet capture, you can use Wireshark to analyze it. If needed, you can also upload this to an open case with Broadcom.