Skip to main content

Skyhigh Security is launching standalone documentation portals to support Japanese, German, and French languages. We are not supporting auto-translation. Stay tuned for further updates. Thanks for your support.

Skyhigh Security

Performing Packet Tracing in Secure Web Gateway SWG

Packet tracing is an useful technique to identify the root cause of the problem. You can perform packet tracing in SWG to analyze or troubleshoot network problems and debug communication. It can easily help you resolve Common problems encountered with SWG like SWG can't reach a website, SWG  not responding to a client request or a connection attempt performed through SWG fails.

To perform Packet Tracing in SWG:

Create a trace file either from the SWG manager or from the appliance command line (CLI).

SWG manager:

  1. Log on to the SWG manager and navigate to Troubleshooting | Packet Tracing.
  2. In the command-line parameters field, type required parameters to filter the dump. This allows you to collect only the needed information and prevent the dump from getting too large.

The file size for the dump created on the user interface is limited to 200,000 packets.

  1. Click tcpdump start.
  2. Reproduce the issue.
  3. When the issue has been reproduced, stop the capture.

Command line:

  1. Log on to the SWG appliance CLI using SSH.
  2. Go to the tcpdump folder: Type cd /opt/mwg/log/debug/tcpdump and press Enter.
  3. Start the tcpdump:Type tcpdump -s 0 -i any -w SR-Number_dump.pcap and press Enter.
  4. Reproduce the issue.
  5. When the issue has been reproduced, stop the capture by pressing Ctrl + C.
  6. You can download the file using FTP or on the user interface in the Troubleshooting | Packet Tracing section.
List of common parameters
Option Example Description
-i interface -i any Listen on defined interface(s)
-s snaplen -s 0 Define the bytes of data from each packet and please note tat means all
-B size -B 1024 Set the operating system capture buffer size to buffer_size, in units of KiB (1024 bytes)
-c count -c 10 Exit after receiving count packets
-C file size -C 100

Specify a maximum file size in MB

SWG 11.2, 11.1.3, 10.2.9, and 9.2.20 support this on UI

-W file count -W 20

Maximum number of files to keep

SWG 11.2, 11.1.3, 10.2.9, and 9.2.20 support this on UI

host ClientIP host 192.168.0.2 Only sniff packets from or to a certain host
port Port port 53 Only sniff packets with a specified port as source or destination port

NOTE: The man-pages contain all available options and can be viewed by man tcpdump.

Example use cases:

  • Capture all network traffic on SWG with full packets: -s 0 -i any
  • Capture only traffic from or to a specific client with full packets: -s 0 -i any host clientIP
  • Capture traffic of a specific clientIP, data from or to the domain controller and DNS traffic to analyze authentication issues: -s 0 -i any host clientIP or port 445 or port 53
Rolling captures for intermittent issues

Some issues might appear sporadically and it will be hard to reproduce them while creating the tcpdump. You can create rolling captures over a long time until the issue recurs.

Option Example Description
-C file size -C 100 Specify a maximum file size in MB
-W number of files -W 20 Maximum number of files to keep
-G seconds -G 10 Rotates the dump file every X seconds

To create rolling captures for authentication issues:

You will need 2 GB of free space on /var for the following example.

 

  1. Log on to the SWG appliance CLI using SSH.
  2. Go to the /var folder: Type cd /var and press Enter.
  3. Verify that you have enough free space: Type df -k and press Enter.
  4. Start the rolling captures: Type nohup tcpdump -Z root -s 0 -i any port 445 or port 53 -C 100 -W 20 -w capturefilename.pcap & and press Enter twice.

This example filters for traffic on ports 445 and 53. This data is useful for troubleshooting AD Domain membership and authentication issues on SWG.

Analyzing tcpdumps with Wireshark:

Tcpdumps can be analyzed with the tool Wireshark. Following are some examples of how you can filter the dump to see the traffic that you want to see.

You can use Wireshark to create tcpdumps on the client.

Filter Description
Ip.addr Filters for a specific IP address
Tcp.port Filters for tcp port
Tcp.stream Filters for a specific tcp stream, automatically created if you follow a tcp stream
Eth.addr Filters for a physical address

 

Operator Description
== or eq Equals
|| or or One of the parameters need to apply
&& or and Both parameters need to match
!= or neq Doesn't equal the value


You can also filter for certain protocols:

Protocol Description
dns Filters for dns traffic
http Filters for http traffic
ssl Filters for ssl traffic
ntlmssp Filters for ntlm traffic
ldap Filters for ldap traffic
icap Filters for icap traffic
  • Was this article helpful?