Performing Packet Tracing in Secure Web Gateway SWG
Packet tracing is an useful technique to identify the root cause of the problem. You can perform packet tracing in SWG to analyze or troubleshoot network problems and debug communication. It can easily help you resolve Common problems encountered with SWG like SWG can't reach a website, SWG not responding to a client request or a connection attempt performed through SWG fails.
To perform Packet Tracing in SWG:
Create a trace file either from the SWG manager or from the appliance command line (CLI).
SWG manager:
- Log on to the SWG manager and navigate to Troubleshooting | Packet Tracing.
- In the command-line parameters field, type required parameters to filter the dump. This allows you to collect only the needed information and prevent the dump from getting too large.
The file size for the dump created on the user interface is limited to 200,000 packets.
- Click tcpdump start.
- Reproduce the issue.
- When the issue has been reproduced, stop the capture.
Command line:
- Log on to the SWG appliance CLI using SSH.
- Go to the tcpdump folder: Type cd /opt/mwg/log/debug/tcpdump and press Enter.
- Start the tcpdump:Type tcpdump -s 0 -i any -w SR-Number_dump.pcap and press Enter.
- Reproduce the issue.
- When the issue has been reproduced, stop the capture by pressing Ctrl + C.
- You can download the file using FTP or on the user interface in the Troubleshooting | Packet Tracing section.
List of common parameters
Option | Example | Description |
---|---|---|
-i interface | -i any | Listen on defined interface(s) |
-s snaplen | -s 0 | Define the bytes of data from each packet and please note tat 0 means all |
-B size | -B 1024 | Set the operating system capture buffer size to buffer_size, in units of KiB (1024 bytes) |
-c count | -c 10 | Exit after receiving count packets |
-C file size | -C 100 |
Specify a maximum file size in MB SWG 11.2, 11.1.3, 10.2.9, and 9.2.20 support this on UI |
-W file count | -W 20 |
Maximum number of files to keep SWG 11.2, 11.1.3, 10.2.9, and 9.2.20 support this on UI |
host ClientIP | host 192.168.0.2 | Only sniff packets from or to a certain host |
port Port | port 53 | Only sniff packets with a specified port as source or destination port |
NOTE: The man-pages contain all available options and can be viewed by man tcpdump.
Example use cases:
- Capture all network traffic on SWG with full packets: -s 0 -i any
- Capture only traffic from or to a specific client with full packets: -s 0 -i any host clientIP
- Capture traffic of a specific clientIP, data from or to the domain controller and DNS traffic to analyze authentication issues: -s 0 -i any host clientIP or port 445 or port 53
Rolling captures for intermittent issues
Some issues might appear sporadically and it will be hard to reproduce them while creating the tcpdump. You can create rolling captures over a long time until the issue recurs.
Option | Example | Description |
---|---|---|
-C file size | -C 100 | Specify a maximum file size in MB |
-W number of files | -W 20 | Maximum number of files to keep |
-G seconds | -G 10 | Rotates the dump file every X seconds |
To create rolling captures for authentication issues:
You will need 2 GB of free space on /var for the following example.
- Log on to the SWG appliance CLI using SSH.
- Go to the /var folder: Type cd /var and press Enter.
- Verify that you have enough free space: Type df -k and press Enter.
- Start the rolling captures: Type nohup tcpdump -Z root -s 0 -i any port 445 or port 53 -C 100 -W 20 -w capturefilename.pcap & and press Enter twice.
This example filters for traffic on ports 445 and 53. This data is useful for troubleshooting AD Domain membership and authentication issues on SWG.
Analyzing tcpdumps with Wireshark:
Tcpdumps can be analyzed with the tool Wireshark. Following are some examples of how you can filter the dump to see the traffic that you want to see.
You can use Wireshark to create tcpdumps on the client.
Filter | Description |
---|---|
Ip.addr | Filters for a specific IP address |
Tcp.port | Filters for tcp port |
Tcp.stream | Filters for a specific tcp stream, automatically created if you follow a tcp stream |
Eth.addr | Filters for a physical address |
Operator | Description |
---|---|
== or eq | Equals |
|| or or | One of the parameters need to apply |
&& or and | Both parameters need to match |
!= or neq | Doesn't equal the value |
You can also filter for certain protocols:
Protocol | Description |
---|---|
dns | Filters for dns traffic |
http | Filters for http traffic |
ssl | Filters for ssl traffic |
ntlmssp | Filters for ntlm traffic |
ldap | Filters for ldap traffic |
icap | Filters for icap traffic |