Netscaler Command Line Packet Capture

How to perform a network packet capture using the Netscaler shell

There's a few different ways to do this

To use nstrace, first log in to the Netscaler

login as: netscaler.user

Using keyboard-interactive authentication.

Password: ****

Last login: Mon Oct 5 12:31:22 2015 from 10.0.0.10

Done

>

Then use the nstrace command eg;

nstrace -filter "DESTIP == 10.0.0.20" -link ENABLED -size 0

the -size 0 command grabs the entire packet instead of the packet headers which Netscaler does by default.

If you want to use multiple filters, then encapsulate them in quotes, and separate them using a double pipe (||)

nstrace -filter "DESTIP == 10.0.0.20 || DESTPORT == 25" -link ENABLED -size 0

The trace file is located under /var/nstrace - use WINSCP to grab the file from the netscaler so that you can open it in Wireshark.

nstrace will automatically call the file nstraceX and suffix the trace number.

> shell

root@NS-TEST101#

root@NS-TEST101# ls -las /var/nstrace/

total xxxx

2 drwxr-xr-x 8 root wheel 512 Oct 6 12:03 .

2 drwxr-xr-x 28 root wheel 512 Apr 11 2014 ..

304384 -rw-r--r-- 1 root wheel 311508992 Oct 5 12:18 nstrace1.cap

65888 -rw-r--r-- 1 root wheel 67395584 Oct 6 11:41 nstrace2.cap

56352 -rw-r--r-- 1 root wheel 57655296 Oct 6 12:05 nstrace3.cap

root@NS-TEST101#

You may notice the format is a little funky, because the netscaler uses its own version of the cap format. Older versions of wireshark don't support it. You may prefer to run the capture and use the default winpcap format

nstrace -filter "DESTIP == 10.0.0.150 || DESTPORT == 25" -link ENABLED -size 0 -tcpDump TCPDUMP

those familiar with tcpdump may prefer to use this built into the shell

For the full command reference:

NSTRACE

Version 9 http://support.citrix.com/article/CTX120941

Version 10 http://support.citrix.com/article/CTX132384