KB Article | Forcepoint Support

Notes & Warnings

To retrieve a packet capture on an Appliance or in Linux, see Using tcpdump in Content Gateway Manager though be warned that this pcap is not as useful for troubleshooting as there are many parameters that are disabled. For a more complete tcpdump for Appliances, see Diagnose. Tcpdump packet captures can be opened in Wireshark.

For more information on tcpdump, see Manpage of TCPDUMP.

Problem Description

Why use Wireshark to troubleshoot Forcepoint filtering?

Wireshark can be used to troubleshoot a variety of Web filtering issues. For example:
  1. I am unable to access a specific website or I am experiencing latency accessing a site.
  2. I am not getting a Forcepoint block page when going to a restricted web site.
  3. I am looking for evidence of DNS latency.
  4. I am not getting protocol blocking to work.
  5. I am in Stand Alone mode and am not seeing any traffic.
  6. I am in standalone mode and can see traffic however do not get blocked.
  7. Discover user agent data.

Resolution

Below are the steps for installing and using Wireshark in an environment for troubleshooting connection issues. For more detailed information on how to read a Wireshark packet capture, visit Learn Wireshark

Installation of Wireshark
  1. Browse to the following URL: Wireshark.
  2. Click on Download (Get Started Now).
  3. Choose version 64-bit or 32-bit.
  4. Download and install.
Note Defaults installation options are usually fine. Winpcap will need to be installed, whereas the USB option will not. 
 
Important If using Wireshark to troubleshoot connections on a server where Network Agent is installed, Wireshark will hang. To make a packet capture on a server with Wireshark if Network Agent is on the server:
  1. Open Services using run command services.msc
  2. Right-click Websense Network Agent and select Properties.
  3. Change from Automatic to Disabled, then Stop the service.
  4. Restart the server.
  5. Open Wireshark and select the NIC for listening.
  6. Start the capture.
  7. Reopen Services.
  8. Right-click Websense Network Agent and select Properties.
  9. Change from Disabled to Automatic, then Start the service.


Running a Packet Capture with Wireshark

  1. From the Capture drop-down menu, select Options
Note Selecting interfaces will show you the IP addresses that are assigned to which interface.  This is helpful when multiple NICs exist in the machine and you need to know which interface to monitor.
  1. Click the interface to use and click Start to begin the capture.
  2. When finished capturing the data needed, click the Stop icon (red square) or from the Capture drop-down menu, select Stop.
 

    Column Definitions

    1. No.: The Packet Number in order from least to greatest.
    2. Time: The Time since the beginning of the capture you can adjust the format.
    3. Source: The address where this packet is coming from.
    4. Destination:The address where this packet is going to.
    5. Protocol: The protocol name in a short (perhaps abbreviated) version.
    6. Info: Additional information about the packet content.
    7. Custom columns: Available by clicking Edit > Preferences > User Interface > Columns >  Field type: "Custom" > Field name: (such as http.user_agent) > Click Add. Now the capture will show the custom column to view user agent data. 


    Filtering Packets
    Display filters allow you to concentrate on the packets you are interested in investigating. To select packets based on protocol type, simply type the protocol you are interested in the Filter field in the filter toolbar of the Wireshark window and press enter to initiate the filter. If there is an error in the syntax of your display filter, the background of the text box will be highlighted in red.

    Note These filters are case sensitive.

    Common Wireshark Filters

    • Show all http traffic: http
    • Show PAC File: http contains pac
    • Check for Get requests: http.request.method==GET
    • Forbidden: http.response.code==403
    • Connection times-out: http.response.code==503
    • Authentication reqiured: http.response.code==407
    • Unauthorized Access: http.response.code==401
    • Search for DNS latency: dns.time>10
    • Show DNS traffic: udp.port==53
    • Find a packet containing text (like URL info): http contains “text”
    • Check DNS response times: dns.time>0 and dns.time<=0.1
    • User Agent: http.user_agent
    • Check for RST packets: tcp.flags.reset==1
    • Detect the Network Agent redirect packet:  ip.id == 0x02f2
    • Detect the 302 Move from Forcepoint for Blocking:  http contains 15871
    • Find all Forcepoint communication:  (ip.id==0x02f2) and (http contains 15871)
    • Find a packet based on IP:  ip.addr == xxx.xxx.xxx.xxx 
    • Find a packet based on Destination IP: ip.dst == xxx.xxx.xxx.xxx
    • Find a packet based on Source IP: ip.src == xxx.xxx.xxx.xxx
    • Find a packet based on TCP: tcp.port == xxxx
    • Find a packet based on Destination TCP: tcp.dstport == xxxx
    • Find a packet based on Source TCP: tcp.srcport == xxxx


    To track a specific connection such as for a specific website

    1. Locate the initial GET request for the site
    2. Right-click and select Follow TCP Stream.
    3. This will display everything regarding this connection from the initial SYN to the FIN\ACK.

    Article Feedback



    Thank you for the feedback and comments.