How to Make TcpDump Capture on Squid

We have a problem connecting to one specific site using proxy and need to see traffic that runs on the network level in our Squid proxy / Web Safety virtual appliance. How to do it from the command line?

In order to look into the proxy traffic we will use the tcpdump command. First, login into virtual appliance using terminal console and see what interface names you have in the virtual appliance by running the following command:

root@node12:~# ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 .. 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    link/ether 00:0c:29:7e:b9:03 brd ff:ff:ff:ff:ff:ff

This output indicates we have the ens160 interface name in the virtual appliance. Please note if you are using Web Safety virtual appliance for Microsoft Hyper-V the interface names might be different.

Now start the tcpdump on the server by running the following command tcpdump -i ens160 -s 65535 -w connection.dump. The output will look something like the following.

root@node12:~# tcpdump -i ens160 -s 65535 -w connection.dump
    tcpdump: listening on ens160, link-type EN10MB (Ethernet), capture size 65535 bytes
        71 packets captured
        97 packets received by filter
        0 packets dropped by kernel

Go to your browser and visit the problematic site. Close the browser afterwards. Then return to the virtual appliance console and hit CTRL+C. The dump session will stop.

The only thing left is to download the connection.dump file to your desktop machine, pack it and send to for analysis. Please note our attachment limit on that address is 1MB only.

If interested you can also open that file in Wireshark and inspect the HTTP/HTTPS/Proxy connection contents. Maybe it will help identifying the reasons for error.