Citrix NetScaler traffic capture using nstrace and nstcpdump

Nstrace

Nstrace is a NetScaler packet capture tool. Nstrace dumps packets in the native NetScaler format. These trace files have an extension of .cap and can be analysed with WireShark. You can use specific filters in WireShark as normal to filter through captured data or specify filters using the NetScaler CLI. This allows you to only capture traffic of interest.

start nstrace – Captures all traffic.

stop nstrace – Stops the packet capture.

show nstrace – Shows the status of nstrace and if it is running etc.

1-min

Some classic nstrace expressions:

start nstrace -filter “vsvrname == LDAP-LoadBalanced-vServer” – Captures traffic to and from the specified vServer.

2-min

3-min

start nstrace -size 0 -filter “svcname == xx” – Captures traffic to and from the specified service. -size 0 means all packets are captured regardless of packet size.

start nstrace -filter “DESTIP == 192.168.0.242” -link ENABLE – Captures all traffic to destination IP 192.168.0.242. The -link ENABLE switch is used to capture return traffic from 192.168.0.242.

4-min

5-min

start nstrace -filter “DESTIP == x.x.x.x” – Captures all traffic to destination IP.

start nstrace -filter “SRCIP == x.x.x.x” – Captures traffic sent from source IP.

start nstrace -filter “DESTPORT == 443” – Captures traffic where the destination port is 443.

6-min

7-min

start nstrace -filter “SRCIP == x.x.x.x && DESTPORT == xx” – Captures traffic from a specified source IP and a specified destination port.

Some default commands/expressions:

Note: These expressions are the same onces you can use to filter traffic when running nstrace from the GUI. I prefer to use these expressions.

start nstrace -filter CONNECTION.SRCIP.EQ(192.168.0.100) -link ENABLED – Captures all traffic to and from 192.168.0.100.

start nstrace -filter CONNECTION.SRCIP.NE(192.168.0.100) – Captures all source traffic apart from when the source is 192.168.0.100.

start nstrace -filter “CONNECTION.SRCIP.EQ(192.168.0.100) || CONNECTION.DSTPORT.EQ(443)” – Captures all traffic from 192.168.0.100 with the destination port as 443.

start nstrace -filter CONNECTION.INTF.EQ(“0/1”) – Captures all traffic flowing in and out of interface 0/1.

start nstrace -filter CONNECTION.VLANID.EQ.(205) – Captures all traffic flowing in and out of VLAN 205.

start nstrace -filter CONNECTION.DSTPORT.BETWEEN(80,180) – Captures traffic when the destination port is between 80 and 180.

start nstrace -filter CONNECTION.LB_VSERVER.NAME.EQ(“name”) – Captures traffic to the specified Load Balanced Virtual Server.

start nstrace -filter CONNECTION.SERVICE_TYPE.EQ(SSL) – Captures all SSL traffic.

start nstrace -filter CONNECTION.SERVICE_TYPE.EQ(MONITOR_PING) – Captures all ping requests sent by a monitor including replies.

start nstrace -size 0 -nf 10 -time 120 – Starts an nstrace using circular logging. A maximum of 10 separate logs will be generates, each new log is generated every 120 seconds.

Nstcpdump

Nstcpdump can be used for more low-level troubleshooting. Nstcpdump does not collect as much detailed information as nstrace. Open NetScaler CLI and type shell. You can use filters with nstcpdump but cannot use filters specific to NetScaler resources. The dump output can be viewed directly within the CLI screen.

CTRL + C – Press these keys simultaneously to stop an nstcpdump.

nstcpdump.sh dst host x.x.x.x  – Shows traffic sent to the destination host .

nstcpdump.sh src host x.x.x.x – Shows traffic from specified host.

nstcpdump.sh host x.x.x.x – Shows traffic to and from specified host IP.

nstcpdump.sh -c 10 dst host 192.168.0.242 – Outputs the first 10 packets from destination 192.168.0.242.

8-min

nstcpdump.sh dst host 192.168.0.242 and port 443 – Outputs traffic destined for 192.168.0.242 on port 443.

9-min

nstcpdump.sh src host x.x.x.x and port xx – Outputs traffic from specified source IP and specified port .

nstcpdump.sh host x.x.x.x and host x.x.x.x – Shows trafic between two specified host IPs.

nstcpdump.sh icmp – Outputs all sent and replied echo requests. NetScaler uses ICMP to track up/down status of DNS servers configured on NetScaler for example.

Note: Pings to DNS come from the SNIP, using static routes to force these pings through the NSIP for example will not work.

10-min

nstcpdump.sh icmp and dst host x.x.x.x – Outputs all sent echo requests to a specified destination host.

nstcpdump.sh icmp and dst host x.x.x.x -w /var/nstrace/output.cap – Outputs all sent echo request to a specified destination host and saves the output in the specified cap file.


2 Comments

  • Andreas Fischer

    January 4, 2017

    Hi George! This page is very useful!
    I have a question regarding nstrace: why the SSLPLAIN-mode in NetScaler 11.1 is hidden? I read the Citrix documentation, unfortunately version 11.0, where it was described, but I didn’t found it on my 11.1-machine (VPX on an SDX 11500), neither in manual nor in command short help:
    NSVPX1_Primary#> start nstrace -nf 21 -time 120 -size 0 -mode
    APPFW
    C2C
    IPV6
    MPTCP
    NEW_RX
    NS_FR_TX
    RX
    TX
    TXB
    NSVPX1_Primary#>
    So I tried it nevertheless – and it’s functioning!! What does that mean? Will Citrix remove the SSLPLAIN-option in future or is it part of an other option?

    Thanks in advance for an answer and greetings from Dresden!
    Andreas

    Reply
  • George Spiers

    January 5, 2017

    Hi Andreas
    Yes, as you noticed SSLPLAIN still works as a command line switch. It is still also available from the GUI under System -> Diagnostics -> Start new trace, and it has been removed from 11.1 documentation.
    I don’t know for sure if it will be removed in the future however there is a different (newer) method to decrypt SSL. A new switch was added to late NetScaler v11.0.66.x and above versions. It is called -capsslkeys. So a command such as start nstrace -capsslkeys ENABLED would capture a trace file, and a second file named nstrace.sslkeys. You can import the session keys file in to WireShark to decrypt the captured file.

    Reply

Leave a Reply