You can create a trace file either from the Web Gateway manager or from the appliance command line (CLI).
Web Gateway manager:
- Log on to the Web Gateway manager and navigate to Troubleshooting, Packet Tracing.
- In the command-line parameters box, type the required parameters to filter the dump.
This action allows you to collect only the needed information and prevent the dump from getting too large.
NOTE: The file size for the dump created on the user interface is limited to 200,000 packets.
- Click tcpdump start.
- Reproduce the issue.
- When the issue has been reproduced, stop the capture.
Command line:
- Log on to the Web Gateway appliance CLI using SSH.
- Go to the tcpdump folder:
Type cd /opt/mwg/log/debug/tcpdump and press Enter.
- Start the tcpdump:
Type tcpdump -s 0 -i any -w SR-Number_dump.pcap and press Enter.
- Reproduce the issue.
- When the issue has been reproduced, stop the capture by pressing Ctrl + C.
- You can download the file using FTP or on the user interface in the Troubleshooting, Packet Tracing section.
List of common parameters:
| Option |
Example |
Description |
| -i interface |
-i any |
Listen on defined interface(s) |
| -s snaplen |
-s 0 |
Define the bytes of data from each packet
NOTE: 0 means all. |
| host ClientIP |
host 192.168.0.2 |
Only sniff packets from or to a certain host |
| port Port |
port 53 |
Only sniff packets with specified port as source or destination port |
NOTE: The man-pages contain all available options and can be viewed by
man tcpdump.
Example use cases:
- Capture all network traffic on the Web Gateway with full packets:
-s 0 -i any
- Capture only traffic from or to a specific client with full packets:
-s 0 -i any host clientIP
- Capture traffic of a specific clientIP, data from/to the domain controller and DNS traffic to analyze authentication issues:
-s 0 -i any host clientIP or port 445 or port 53
Rolling captures for intermittent issues
Some issues might appear sporadically and it will be hard to reproduce them while creating the tcpdump. You can create rolling captures over a long time until the issue reoccurs.
| Option |
Example |
Description |
| -C file size |
-C 100 |
Specify a maximum file size in MB |
| -W number of files |
-W 20 |
Maximum number of files to keep |
| -G seconds |
-G 10 |
Rotates the dump file every X seconds |
To create rolling captures for authentication issues
NOTE: For the following example, you will need 2GB of free space on
/var
- Log on to the Web Gateway appliance CLI using SSH.
- Go to the /var folder:
Type cd /var and press Enter.
- Verify that you have enough free space:
Type df -k and press Enter.
- Start the rolling captures:
Type nohup tcpdump -Z root -s 0 -i any port 445 or port 53 -C 100 -W 20 -w capturefilename.pcap & and press Enter twice.
NOTE: This example filters for traffic on port 445 and 53. This data is useful for troubleshooting AD Domain membership and authentication issues on Web Gateway.
Analyzing tcpdumps with Wireshark
Tcpdumps can be analyzed with the tool
Wireshark. Following are some examples of how you can filter the dump to see the traffic you want to see.
NOTE: You can use Wireshark to create tcpdumps on the client.
| Filter |
Description |
| Ip.addr |
Filters for a specific IP address |
| Tcp.port |
Filters for tcp port |
| Tcp.stream |
Filters for a specific tcp stream, automatically created if you follow a tcp stream |
| Eth.addr |
Filters for a physical address |
| Operator |
Description |
| == or eq |
Equals |
| || or or |
One of the parameters need to apply |
| && or and |
Both parameters need to match |
| != or neq |
Does not equal the value |
You can also filter for certain protocols:
| Protocol |
Description |
| dns |
Filters for dns traffic |
| http |
Filters for http traffic |
| ssl |
Filters for ssl traffic |
| ntlmssp |
Filters for ntlm traffic |
| ldap |
Filters for ldap traffic |
| icap |
Filters for icap traffic |
