ProxySG & Advanced Secure Gateway

 View Only

  • 1.  How to filter traffic on bluecoat proxy for packet capture..

    Posted Apr 20, 2018 04:56 AM

    Hi wanted to capture traffic on bluecoat proxy for "blackline domain" for troubleshooting slowness issue. When we try to access this blackline website that time  backend this website is going multiple blackline servers.

    Example static1.blackline.com, static2.blackline.com and so on. Here how i can capture traffic from my pc going to any blackline server. 

    Can you please help me with steps.



  • 2.  RE: How to filter traffic on bluecoat proxy for packet capture..

    Posted Apr 20, 2018 06:59 AM

    hji



  • 3.  RE: How to filter traffic on bluecoat proxy for packet capture..

    Posted Apr 21, 2018 11:52 AM

    Hi Umesh,

     

                  For packet capture filter, you will have to use the all the FQDN of the domains for which you want the traffic to be captured. In your query above, the packet capture filter should be as below

     

     ip host x.x.x.x or host static1.blackline.com or host static2.blackline.com

     

    where x.x.x.x is your client machines IP



  • 4.  RE: How to filter traffic on bluecoat proxy for packet capture..

    Posted Apr 24, 2018 11:25 PM

    Hi Arvind,

    Thanks for your reply.

    Here i don't know exactly that application hitting backend how many servers. Like static1.blackline.com or  static2.blackline.com etc. it will go up to maybe more then 8 or 9. Also they have other servers as well x.x.x.blackline.com. So here how I can take a capture. I know only domain which is blackline.com.

     

    So can you please help me in this.

     

     

     

     



  • 5.  RE: How to filter traffic on bluecoat proxy for packet capture..

    Posted Apr 24, 2018 11:49 PM

    Hi Umesh,

     

                    If the domains needed are more, you have to keep on adding them. This is required only if these domains are resolving to different public IP address. If the list is so long and not predictable, then we will have to try taking an unfiltered packet capture (when traffic through the proxy is low or nil).

     

                  Another option could be to check whether these subdomains fall in a specific network subnet in public ip range. If yes, then use the filter of "net x.x.x.x/mask" to cover the subnet. Eg: net 192.168.1.0/24 . Combining this with client IP will make sure you are capturing only interested traffic.



  • 6.  RE: How to filter traffic on bluecoat proxy for packet capture..
    Best Answer

    Posted Apr 25, 2018 07:13 AM

    The packet capture works with IP addresses. As far as I know, if you enter host names, they will just be converted to IP addresses, so entering "host example.com" is the same as "host 93.184.216.34". Traffic to other domains which resolve to the same IP address will be captured as well.

    To filter on all subdomains within a given second level domain you could try the following:

    * As Aravind suggested, add all host names to the filter: "host a.example.com or host b.example.com or host c.example.com" and so on

    * Perform DNS lookups on the different subdomains and see if they are located in the same subnet or in a few selected subnets, then filter on these subnets, eg "net 93.184.216.0/23 or net 192.168.216.0/25"

    * Capture everything or capture large subnets which contain all hosts you are interested in and then with the help of Tshark filter the captured traffic based on HTTP GET Requests (for HTTP) or SSL Client Hello (for HTTPS). For HTTP you can use 'http.host contains "example.com"', for HTTPS 'ssl.handshake.extensions_server_name contains "example.com"', which will give you all initiated HTTP(S) connections to hosts within this second level domain. Then you can build connection filters based on all the destination IP addresses found.