Using tcpdump in Content Gateway Manager
- Article Number: 000007407
- Products: Forcepoint Web Security, TRITON AP-WEB, Web Security Gateway, Web Security Gateway Anywhere
- Version: 8.5, 8.4, 8.3, 8.2, 8.1, 8.0, 7.8
- Last Published Date: January 14, 2021
Notes & Warnings
This article also applies to v8.5.3.
Forcepoint Appliance administrators can collect tcpdump and additional troubleshooting diagnostics from X-series and V-series appliances using the Diagnose Mode of the Admin CLI
Tcpdump is a command line tool used to perform packet capture and packet analysis. It can be very helpful when diagnosing network transaction and web proxy issues.
When Content Gateway is installed on an appliance, tcpdump (and other common command line diagnostic tools) require the assistance of Technical Support.
It would be nice to be able to run tcpdump within Content Gateway Manager.
Beginning with 7.8.4, Content Gateway makes several command line diagnostic tools available within Content Gateway Manager. To access the tools, in the manager go to Monitor > My Proxy > Diagnostics. Tcpdump is one of the commands available on the Manual tab of that page.
To run tcpdump:
As the test runs, messages appear in the Test Results box at the bottom of the page, and output is written to the file /opt/WCG/logs/tcpdump.pcap.
When the test completes, a link is provided for you to save the results to a new file.
Each time TCPDump runs, the tcpdump.pcap file is overwritten with new output. If you want to keep the output from the most recent run, be sure to save it before initiating another TCPDump.
To avoid problems with disk space, tcpdump.pcap is limited to 10,000 packets. Output received after the limit is reached is dropped.
To help understand how tcpdump is used, please see this information.
There are several Knowledge Base Articles that explain how tcpdump can be used to diagnose Content Gateway problems. For example:
Proxy Caching - Reviewing And Troubleshooting Cached Objects
How do I identify DNS errors?
Websense Content Gateway sometimes records traffic as coming from 127.0.0.1
In most cases, the same information can be obtained using the TCPDump option.
Several tcpdump parameters are not supported when the tool is run within Content Gateway Manager. They are:
Most of these parameters are either covered by features provided by TCPDump (such as, output to a file (-w)) or have the potential to make the output file too large.
In the past, Technical Support often helped administrators run tcpdump with the following common parameters. These common cases can be run with TCPDump and information can be gathered and saved before contacting Technical Support for assistance.
When you are uncertain of the source of the issue, capture information for both the client and server using:
tcpdump -np -i any -s 0 not port 22
If you think the issue may be related to DNS latency, collect information using:
tcpdump -np -i any -s 0 port 53
Enter the parameters for these commands in the input field and save the output file for Technical Support to review.
tcpdump; content gateway; wcg; diagnostics; troubleshooting; support; admin