When capturing data to identify a problem, I find that the PCAP fills up quickly because my network is very busy. What capture filters can I use to gather just the information I'm interested in when taking packet captures on my CacheFlow or ProxySG / ASG appliance?
Although an unfiltered packet capture is ideal to provide complete Layer 2, Layer 3, and Layer 4 communication during an investigation using packet captures, a very busy proxy could fill up the 100 MB buffer in less than 10 seconds, and may not capture the problem when troubleshooting. Capture fillers help when troubleshooting in this situation.
Consider the following when examining proxied traffic in a packet capture:
Most common PCAP filters to use on a ProxySG appliance:
Capture Traffic by Client IP: ip host x.x.x.x Where x.x.x.x is the IP address of the client initiating the request.
Capture client IP address, or destination IP of Origin Content Server or DNS requests: ip host x.x.x.x || ip host y.y.y.y || port 53 where x.x.x.x is the IP address of the client who initiated the request and y.y.y.y is the IP address of the origin content server.
Capture client IP address or request for a specific domain: ip host x.x.x.x || host www.example.com where x.x.x.x is the IP address of the client who initiated the request and www.example.com is the domain the user is has requested.
Capture native FTP issue: port ftp || port ftp-data
Capture multicast packet to troubleshoot a ProxySG appliance failover deployment: ip multicast
Capture from all traffic from a specific network from LAN: src net 192.168.3.16/28 This will capture traffic for all IPs on the 18.104.22.168 netmask 255.255.255.240 network.
You can use wireshark (www.wireshark.org) or your preferred packet analyzer to view packet capture taken from Blue Coat proxies.