Blue Coat Systems SG Appliance Benutzerhandbuch
Volume 9: Managing the Blue Coat SG Appliance
52
Packet Capturing (the Job Utility)
You can capture packets of Ethernet frames going into or leaving an SG appliance. Packet
capturing allows filtering on various attributes of the frame to limit the amount of data
collected. The maximum PCAP size allowed is 100MB. Any packet filters must be defined
before a capture is initiated, and the current packet filter can only be modified if no
capture is in progress.
capturing allows filtering on various attributes of the frame to limit the amount of data
collected. The maximum PCAP size allowed is 100MB. Any packet filters must be defined
before a capture is initiated, and the current packet filter can only be modified if no
capture is in progress.
The
pcap
utility captures all received packets that are either directly addressed to the SG
appliance through an interface’s MAC address or through an interface’s broadcast
address. The utility also captures transmitted packets that are sent from the appliance. The
collected data can then be transferred to the desktop or to Blue Coat for analysis.
address. The utility also captures transmitted packets that are sent from the appliance. The
collected data can then be transferred to the desktop or to Blue Coat for analysis.
PCAP File Name Format
The name of a downloaded packet capture file has the format:
bluecoat_date_filter-
expression.cap
, revealing the date and time (UTC) of the packet capture and any filter
expressions used. Because the filter expression can contain characters that are not
supported by a file system, a translation can occur. The following characters are not
translated:
supported by a file system, a translation can occur. The following characters are not
translated:
❐
Alphanumeric characters (a-z, A-Z, 0-9)
❐
Periods (.)
Characters that are translated are:
❐
Space (replaced by an underscore)
❐
All other characters (including the underscore and dash) are replaced by a dash
followed by the ASCII equivalent; for example, a dash is translated to
followed by the ASCII equivalent; for example, a dash is translated to
-2D
and an
ampersand (&) to
-26.
Common PCAP Filter Expressions
Packet capturing allows filtering on various attributes of the frame to limit the amount of
data collected. PCAP filter expressions can be defined in the Management Console or the
CLI. Below are examples of filter expressions; for PCAP configuration instructions, see
data collected. PCAP filter expressions can be defined in the Management Console or the
CLI. Below are examples of filter expressions; for PCAP configuration instructions, see
Some common filter expressions for the Management Console and CLI are listed below.
The filter uses the Berkeley Packet Filter format (BPF), which is also used by the
The filter uses the Berkeley Packet Filter format (BPF), which is also used by the
tcpdump
program. A few simple examples are provided below. If filters with greater complexity are
required, you can find many resources on the Internet and in books that describe the BPF
filter syntax.
required, you can find many resources on the Internet and in books that describe the BPF
filter syntax.
Note:
Packet capturing increases the amount of processor usage performed in TCP/IP.
To analyze captured packet data, you must have a tool that reads Packet Sniffer Pro 1.1
files (for example, Ethereal or Packet Sniffer Pro 3.0).
files (for example, Ethereal or Packet Sniffer Pro 3.0).