AZ Asia-Pacific - Zscaler Help Centre
All Categories Zscaler Private Access ZPA App Connector: TCP Dump / PCAP capture

ZPA App Connector: TCP Dump / PCAP capture

This guide provides an illustration of how to perform ZPA App Connector PCAP capture.

Prerequisites:

1) Administrator must have SSH (TCP port 22) traffic allowed towards the App Connector

2) Administrator have the credentials towards the App Connector

Steps:

  1. SSH to the App Connector with the IP address allocated to the VM with an application that is able to perform SSH operations.

    image.png

  2. Accept any security alert of the App connector fingerprint (If Any.)

    image.png

  3. Key in the credentials to the App connector

    image.png

  4. Ensure that you are aware where are you placing your captures at by executing the command to find out what is the current directory you are at.

    pwd

    image.png

  5. To start the PCAP capture run the following command

    sudo tcpdump -w [filename].pcap

    image.png

    If there are requirements to capture for a interface, you can perform the following steps

    1. Find out the interface that you would like to capture with the following command

      ifconfig

      image.png

    2. Execute the command to perform specific PCAP captures

      sudo tcpdump -i [interface name] -w [filename].pcap

  6. Replicate the traffic and once completed, stop the captures by hitting the Ctrl-C key

    image.png

  7. In order to grab the capture file, you can use WinSCP to extract the file.

  8. Under protocol, select SFTP and key in your App Connector IP, Username, Password to login

image.png

  1. Accept any fingerprint warning by the app.

image.png

  1. Select the capture file and right-click and click on download to save the file to your own machine.

    image.pngimage.png