Loading...

Knowledge Center


How to perform packet tracing in McAfee Web Gateway
Technical Articles ID:   KB75056
Last Modified:  12/20/2018
Rated:


Environment

McAfee Web Gateway (MWG) 7.x

Summary

This article describes how to perform packet tracing in McAfee Web Gateway to analyze/troubleshoot network problems and debug communication.

Problem

Web Gateway cannot reach a website.

Web Gateway is not responding to a client request.

A connection attempt performed through Web Gateway fails.

Solution

A trace file can be created either from the Web Gateway manager or from the appliance command line (CLI).

Web Gateway manager:
  1. Log on to the MWG manager and navigate to Troubleshooting, Packet Tracing.
  2. In the command line parameters box, type the required parameters to filter the dump.
    This way you only collect necessary information and prevent the dump from getting too large.
    NOTE: The file size for the dump created on the user interface is limited to 200,000 packets.
     
  3. Click tcpdump start.
  4. Reproduce the issue.
  5. When the issue has been reproduced, stop the capture.

Command line:
  1. Log on to the MWG appliance command line interface using SSH.
  2. Navigate to the tcpdump folder:
    Type cd /opt/mwg/log/debug/tcpdump and press ENTER.
     
  3. Start the tcpdump:
    Type tcpdump -s 0 -i any -w SR-Number_dump.pcap and press ENTER.
     
  4. Reproduce the issue.
  5. When the issue has been reproduced, stop the capture by pressing CTRL + C.
  6. You can download the file using FTP or on the user interface in the Troubleshooting, Packet Tracing section.

List of common parameters:
Option Example Description
-i interface -i any Listen on defined interface(s)
-s snaplen -s 0 Define the bytes of data from each packet
NOTE: 0 means all.
host ClientIP host 192.168.0.2 Only sniff packets from or to a certain host
port Port port 53 Only sniff packets with specified port as source or destination port

NOTE: The man-pages contain all available options and can be viewed by man tcpdump.

Example use cases:
  • Capture all network traffic on the McAfee Web Gateway with full packets:
    -s 0 -i any
     
  • Capture only traffic from or to a specific client with full packets:
    -s 0 -i any host clientIP
     
  • Capture traffic of a specific clientIP, data from/to the domain controller and DNS traffic to analyze authentication issues:
    -s 0 -i any host clientIP or port 445 or port 53

Rolling captures for intermittent issues
Some issues may appear sporadically and it will be hard to reproduce them while creating the tcpdump. Therefore you can create rolling captures over a long time until the issue reoccurs.
Option Example Description
-C file size -C 100 Specify a maximum file size in MB
-W number of files -W 20 Maximum number of files to keep
-G seconds -G 10 Rotates the dump file every X seconds

To create rolling captures for authentication issues
NOTE: For the following example, you will need 2GB of free space on /var
  1. Log on to the MWG appliance command line interface using SSH.
  2. Navigate to the /var folder:
    Type cd /var and press ENTER.
     
  3. Verify that you have enough free space:
    Type df -k and press ENTER.
     
  4. Start the rolling captures: 
    Type nohup tcpdump -Z root -s 0 -i any port 445 or port 53 -C 100 -W 20 -w capturefilename.pcap & and press ENTER twice.

    NOTE: This example filters for traffic on port 445 and 53. This is useful for troubleshooting AD Domain membership and authentication issues on MWG.

Analyzing tcpdumps with Wireshark
Tcpdumps can be analyzed with the tool Wireshark. You can download the wireshark protocol analyzer at www.wireshark.org . Following are some examples of how you can filter the dump to see the traffic you want to see.

NOTE: Wireshark can also be used to create tcpdumps on the client.
 
Filter Description
Ip.addr Filters for a specific IP address
Tcp.port Filters for tcp port
Tcp.stream Filters for a specific tcp stream, automatically created if you follow a tcp stream
Eth.addr Filters for a physical address
 
Operator Description
== or eq Equals
|| or or One of the parameters need to apply
&& or and Both parameters need to match
!= or neq Does not equal the value


You can also filter for certain protocols:
Protocol Description
dns Filters for dns traffic
http Filters for http traffic
ssl Filters for ssl traffic
ntlmssp Filters for ntlm traffic
ldap Filters for ldap traffic
icap Filters for icap traffic

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.