Bluecoat Using packet captures

Using the packet capture facility is essential for most troubleshooting, it is a quick, easy way to find the point of failure and check the working of dependant services, such as DNS, authentication and icap. Once you have used the below tips to get the capture file, you will need Wireshark to analyse it.

1- Running a simple capture from the https Web console or CLI:

Web console:

Start a packet capture via the Management Console > Maintenance > Service information > Packet Capture > Start

Test the internet site(s) or reproduce the issue as necessary.

Stop the packet capture Log Management Console > Maintenance > Service information > Packet Capture > Stop

And download the file as *.pcap or *.cap

CLI:

SGOS# pcap start

SGOS# pcap stop

If you cannot access the https GUI to download the file, the only option is to upload to an FTP server on the CLI:

SGOS# pcap transfer ftp://x.x.x.x/path/filename.cap ftpuser ftppassword

2- Running a capture with filters.  The capture buffer on the SG can contain a maximum of 100Mb of data, around 500000 packets worth, so in a production environment, it may be necessary to capture only relevant data using filters:

Web console:

Maintenance > Service information > pcaps > filter. 

In the filter field, enter the following without brackets:

host <clients ip> || host <server/website ip or hostname> || host <ip of the dns server> || host <ip of the authentication server or bcaaa> || host <ip of the icap server if in use>

Here is an example for an explicit client 10.20.5.5 going to https://kb.bluecoat.com: host 10.20.5.5 || host kb.bluecoat.com

Another example for the same host going to www.bluecoat.com: host 10.20.5.5 || host www.bluecoat.com

Start a packet capture via Management Console > Maintenance > Service information > Packet Capture > Start

Test the internet site(s) or reproduce the issue as necessary.

Stop the packet capture Log Management Console > Maintenance > Service information > Packet Capture > Stop

CLI:

SGOS# pcap filter expr “host <clients ip> || <server ip or hostname>”

SGOS# pcap start

SGOS# pcap stop

3- Starting a rolling pcap, to catch intermittent issues – leave the pcap running, so that it overwrites itself, and stop it when the issue occurs, to catch the most recent traffic:

Web console:

Maintenance > Service information > Packet Capture > Start > Buffering > Capture last: matching packets (max 1000,000)  or last matching Kbytes (max 102,400)

CLI:

SGOS# pcap start last count 500000 (for packets)

SGOS# pcap start last capsize 5000000 (for Kbytes)

Once you have downloaded the capture, you are ready to use Wireshark to analyse it.  Please see the section “Task 4: Analyse the packet capture data” in KB4827 for tips on capture analysis with Wireshark.

There is some overlap with these related articles:

KB4827 – Troubleshooting web pages that do not load or load incompletely

FAQ1486 – How do I capture a packet from a certain network or subnet with the ProxySG Packet Capture Facility?

KB1497 – Creating a packet capture filter

KB4698 – How to use Wireshark to capture a packet trace as part of troubleshooting a network/connectivity issue.

FAQ1464 – How do I capture only TCP Control packets with the ProxySG Packet Capture Facility?

Leave a Reply

Your email address will not be published. Required fields are marked *