Sample SGS Common Filter Expressions
Filter Expression Packets Captured
ip host 10.25.36.47 Captures packets from a specific host with IP address 10.25.36.47.
not ip host 10.25.36.47 Captures packets from all IP addresses except 10.25.36.47.
ip host 10.25.36.47 and ip host 10.25.36.48 Captures packets from two IP addresses: 10.25.36.47 and 10.25.36.48.
ether host 00:e0:81:01:f8:fc Captures packets from MAC address 00:e0:81:01:f8:fc:.
port 80 Captures packets to port 80.
Ip src bluecoat.com Captures all packets that came from the host bluecoat.com to the ProxySG.
Host example.com and tcp Captures all TCP packets sent between the host example.com and the ProxySG.

Using Filter Expressions in the CLI
To add a filter to the CLI, use the command:
SGOS#pcap filter expr parameters
To remove a filter, use the command:
SGOS#pcap filter
Important: Define CLI filter expr parameters with double-quotes to avoid confusion with special characters. For example, a space is interpreted by the CLI as an additional parameter, but the CLI accepts only one parameter for the filter expression. Enclosing the entire filter expression in quotations allows multiple spaces in the filter expression.
Configuring Packet Capturing
Use the following procedures to configure packet capturing. If a download of the captured packets is requested, packet capturing is implicitly stopped. In addition to starting and stopping packet capture, a filter expression can be configured to control which packets are captured.

For information on configuring a PCAP filter, see “Common PCAP Filter Expressions” above.
Note: Requesting a packet capture download stops packet capturing.

To analyze captured packet data, you must have a tool that reads Packet Sniffer Pro 1.1 files (for example, Ethereal or Packet Sniffer Pro 3.0).

To Enable, Stop, and Download Packet Captures through the Management Console:

1. Select Maintenance>Service Information>Packet Captures.
   The Packet Captures tab displays.
2. To configure packet capturing, complete the following steps:
   o To define or change the PCAP filter, enter the filter information into the Capture filter field. (See “Common PCAP Filter Expressions” for information about PCAP filter expressions for this field.) To remove the filter, clear this field.
   o To specify the number of kilobytes to capture, check the Include packets in core checkbox and enter a number. You can capture packets and include them along with a core image. This is extremely useful if a certain pattern of packets causes the unit to restart unexpectedly.
   o To capture all packets, even those that are bridged, check the Capture bridging packets checkbox. Normally, the packets that are bridged from one interface to another (see “Software and Hardware Bridges” ) are not included in the packet capture.
3. Choose one of the following three radio buttons:
   o Capture all matching packets
   o Capture first n matching packets. Enter the number of matching packets (n) to capture. If the number of packets reaches this limit, packet capturing stops automatically.
   o Capture last n matching packets. Enter the number of matching packets (n) to capture. Any packet received after the memory limit is reached results in the discarding of the oldest saved packet prior to saving the new packet. The saved packets in memory are written to disk when the capture is stopped.
4. Click Apply.
5. To start the capture, click the Start capture button. This button will be grayed out if a packet capture is already started.
6. To stop the capture, click the Stop capture button. This button will be grayed out if a packet capture is already stopped.
7. To download the capture, click the Download capture button. This button will be grayed out if no file is available for downloading.

To Define Packet Capturing Settings through the CLI:

1. To define PCAP filter parameters, enter the following command at the enable command prompt:
   SGOS#pcap filter parameters
   This captures packets according to the parameters set. If no parameters are set, all packets are captured until the pcap stop command is issued.

See “Using Filter Expressions in the CLI” for information about CLI filter parameters.

2. To begin capturing packets, enter the following command at the enable command prompt:
   SGOS#pcap start {first number | last number | capsize number (kilobytes ) | trunc number }
   where:
   first number allows you to enter the number of matching packets (number ) to capture. Any packet received after the memory limit is reached results in the discarding of the oldest saved packet prior to saving the new packet. The saved packets in memory are written to disk when the capture is stopped.
   last number allows you to enter the number of matching packets (number ) to capture. Any packet received after the memory limit is reached results in the discarding of the oldest saved packet prior to saving the new packet. The saved packets in memory are written to disk when the capture is stopped. The last and first options supersede each other.
   capsize number (kilobytes ) allows you to stop the collection after number kilobytes (up to 100 MB) of packets have been captured. This command prevents packet capturing from taking up too much memory and degrading performance. If no parameter is specified, the default is to capture packets until the stop directive is issued.
   trunc number allows collecting, at most, number of packets from each frame.
   To Enable, Stop, and Download Packet Captures through a Browser:
3. Start your Web browser.
4. Enter the URL: https://ProxySG_IP_address :8082/PCAP/Statistics and log on to the ProxySG as needed.
   The Packet Capture Web page opens.
5. Select the desired action: Start packet capture, Stop packet capture, Download packet capture file.

You can also use the following URLs to configure these individually:
• To enable packet capturing, use this URL:
https://ProxySG_IP_address :8082/PCAP/start
• To stop packet capturing, use this URL:
https://ProxySG_IP_address :8082/PCAP/stop
• To download packet capturing data, use this URL:
https://ProxySG_IP_address :8082/PCAP/bluecoat.cap

Viewing Current Packet Capture Data
Use the following procedures to display current capture information from the ProxySG.
To View Current Packet Capture Data through the Management Console:

1. Select Maintenance>Service Information>Packet Captures.
   The Packet Captures tab displays.
2. To view the packet capture statistics, click the Show statistics button.
   A window opens displaying the statistics on the current packet capture settings. Close the window when you are finished viewing the statistics.
   To View Current Packet Capture Data through the CLI:
   At the enable command prompt, enter the following command:
   SGOS#pcap info
   packet capture information:
   Packets captured: 12
   Bytes captured: 1879
   Packets written: 12
   Bytes written: 2343
   Max packet ram: 16384
   Packet ram used: 2167
   Packets filtered: 405
   Bridge capture all: Disabled
   Current state: Stopped
   Filtering: On
   Filter expression: iface out expr “”
   Uploading Packet Capture Data
   Use the following steps to transfer packet capture data from the ProxySG to an FTP site through the CLI. You cannot use the Management Console. After uploading is complete, you can analyze the packet capture data.

To Upload Packet Captures to a Server through the CLI:
At the enable command prompt, enter the following command:
SGOS#pcap transfer ftp://url/path /filename.cap username password
Specify a username and password, if the FTP server requires these. The username and password must be recognized by the FTP server.
Proxy trace – View and diagnose proxy traffic

Cache:
Sites cached for performance reasons
url.domain=(www.xyz.com) cache(no) pipeline(no)
url.address=(x.x.x.x) cache(no)

url.domain=(www.xyz.com) direct(yes)
ALLOW condition=WSUS exit
ALLOW condition=owa_auth_problem action.proxy_header(yes)
DENY condition=ms_messenger
DENY condition=yahoo_msg exit
ALLOW condition=ports

Define condition trusted
url.domain=com
url.address=x.x.0.0/16

Define condition WSUS
Client.address=x.x.x.x /32
Client.address=x.x.0.0 /16
End condition WSUS

Define condition owa_auth_problem
set (response.x_header.Proxy-Support, ‘none’)
end condition owa_auth_problem

Blue Coat Web Filter (formerly Cerberian)
http://list.bluecoat.com/bcwf/activity/download/bcwf.db

3 Roles Bypass
Setup – NTLM (bcaaa)
Campus – Dst – Do not Authenticate
Campus – Dst – Force Authentication