This guide provides an illustration of how to perform ZPA App Connector PCAP capture.
Prerequisites:
1) Administrator must have SSH (TCP port 22) traffic allowed towards the App Connector
2) Administrator have the credentials towards the App Connector
Steps:
SSH to the App Connector with the IP address allocated to the VM with an application that is able to perform SSH operations.
Accept any security alert of the App connector fingerprint (If Any.)
Key in the credentials to the App connector
Ensure that you are aware where are you placing your captures at by executing the command to find out what is the current directory you are at.
pwd
To start the PCAP capture run the following command
sudo tcpdump -w [filename].pcap
If there are requirements to capture for a interface, you can perform the following steps
Find out the interface that you would like to capture with the following command
ifconfig
Execute the command to perform specific PCAP captures
sudo tcpdump -i [interface name] -w [filename].pcap
Replicate the traffic and once completed, stop the captures by hitting the Ctrl-C key
In order to grab the capture file, you can use WinSCP to extract the file.
Under protocol, select SFTP and key in your App Connector IP, Username, Password to login
Accept any fingerprint warning by the app.
Select the capture file and right-click and click on download to save the file to your own machine.
