Citrix NetScaler traffic capture using nstrace and nstcpdump


Nstrace is a NetScaler packet capture tool. Nstrace dumps packets in the native NetScaler format. These trace files have an extension of .cap and can be analysed with WireShark. You can use specific filters in WireShark as normal to filter through captured data or specify filters using the NetScaler CLI. This allows you to only capture traffic of interest.

start nstrace – Captures all traffic.

stop nstrace – Stops the packet capture.

show nstrace – Shows the status of nstrace and if it is running etc.


Some classic nstrace expressions:

start nstrace -filter “vsvrname == LDAP-LoadBalanced-vServer” – Captures traffic to and from the specified vServer.



start nstrace -size 0 -filter “svcname == xx” – Captures traffic to and from the specified service. -size 0 means all packets are captured regardless of packet size.

start nstrace -filter “DESTIP ==” -link ENABLE – Captures all traffic to destination IP The -link ENABLE switch is used to capture return traffic from



start nstrace -filter “DESTIP == x.x.x.x” – Captures all traffic to destination IP.

start nstrace -filter “SRCIP == x.x.x.x” – Captures traffic sent from source IP.

start nstrace -filter “DESTPORT == 443” – Captures traffic where the destination port is 443.



start nstrace -filter “SRCIP == x.x.x.x && DESTPORT == xx” – Captures traffic from a specified source IP and a specified destination port.

Some default commands/expressions:

Note: These expressions are the same onces you can use to filter traffic when running nstrace from the GUI. I prefer to use these expressions.

start nstrace -filter CONNECTION.SRCIP.EQ( -link ENABLED – Captures all traffic to and from

start nstrace -filter CONNECTION.SRCIP.NE( – Captures all source traffic apart from when the source is

start nstrace -filter “CONNECTION.SRCIP.EQ( || CONNECTION.DSTPORT.EQ(443)” – Captures all traffic from with the destination port as 443.

start nstrace -filter CONNECTION.INTF.EQ(“0/1”) – Captures all traffic flowing in and out of interface 0/1.

start nstrace -filter CONNECTION.VLANID.EQ.(205) – Captures all traffic flowing in and out of VLAN 205.

start nstrace -filter CONNECTION.DSTPORT.BETWEEN(80,180) – Captures traffic when the destination port is between 80 and 180.

start nstrace -filter CONNECTION.LB_VSERVER.NAME.EQ(“name”) – Captures traffic to the specified Load Balanced Virtual Server.

start nstrace -filter CONNECTION.SERVICE_TYPE.EQ(SSL) – Captures all SSL traffic.

start nstrace -filter CONNECTION.SERVICE_TYPE.EQ(MONITOR_PING) – Captures all ping requests sent by a monitor including replies.

start nstrace -size 0 -nf 10 -time 120 – Starts an nstrace using circular logging. A maximum of 10 separate logs will be generates, each new log is generated every 120 seconds.


Nstcpdump can be used for more low-level troubleshooting. Nstcpdump does not collect as much detailed information as nstrace. Open NetScaler CLI and type shell. You can use filters with nstcpdump but cannot use filters specific to NetScaler resources. The dump output can be viewed directly within the CLI screen.

CTRL + C – Press these keys simultaneously to stop an nstcpdump. dst host x.x.x.x  – Shows traffic sent to the destination host . src host x.x.x.x – Shows traffic from specified host. host x.x.x.x – Shows traffic to and from specified host IP. -c 10 dst host – Outputs the first 10 packets from destination

8-min dst host and port 443 – Outputs traffic destined for on port 443.

9-min src host x.x.x.x and port xx – Outputs traffic from specified source IP and specified port . host x.x.x.x and host x.x.x.x – Shows trafic between two specified host IPs. icmp – Outputs all sent and replied echo requests. NetScaler uses ICMP to track up/down status of DNS servers configured on NetScaler for example.

Note: Pings to DNS come from the SNIP, using static routes to force these pings through the NSIP for example will not work.

10-min icmp and dst host x.x.x.x – Outputs all sent echo requests to a specified destination host. icmp and dst host x.x.x.x -w /var/nstrace/output.cap – Outputs all sent echo request to a specified destination host and saves the output in the specified cap file. udp and not port 3003 and not port 1985 – Outputs all UDP traffic but excludes traffic on port 3003 and 1985.


  • Andreas Fischer

    January 4, 2017

    Hi George! This page is very useful!
    I have a question regarding nstrace: why the SSLPLAIN-mode in NetScaler 11.1 is hidden? I read the Citrix documentation, unfortunately version 11.0, where it was described, but I didn’t found it on my 11.1-machine (VPX on an SDX 11500), neither in manual nor in command short help:
    NSVPX1_Primary#> start nstrace -nf 21 -time 120 -size 0 -mode
    So I tried it nevertheless – and it’s functioning!! What does that mean? Will Citrix remove the SSLPLAIN-option in future or is it part of an other option?

    Thanks in advance for an answer and greetings from Dresden!

  • George Spiers

    January 5, 2017

    Hi Andreas
    Yes, as you noticed SSLPLAIN still works as a command line switch. It is still also available from the GUI under System -> Diagnostics -> Start new trace, and it has been removed from 11.1 documentation.
    I don’t know for sure if it will be removed in the future however there is a different (newer) method to decrypt SSL. A new switch was added to late NetScaler v11.0.66.x and above versions. It is called -capsslkeys. So a command such as start nstrace -capsslkeys ENABLED would capture a trace file, and a second file named nstrace.sslkeys. You can import the session keys file in to WireShark to decrypt the captured file.


Leave a Reply