Nstrace is a NetScaler packet capture tool. Nstrace dumps packets in the native NetScaler format. These trace files have an extension of .cap and can be analysed with WireShark. You can use specific filters in WireShark as normal to filter through captured data or specify filters using the NetScaler CLI. This allows you to only capture traffic of interest.
start nstrace – Captures all traffic.
stop nstrace – Stops the packet capture.
show nstrace – Shows the status of nstrace and if it is running etc.
Some classic nstrace expressions:
start nstrace -filter “vsvrname == LDAP-LoadBalanced-vServer” – Captures traffic to and from the specified vServer.
start nstrace -size 0 -filter “svcname == xx” – Captures traffic to and from the specified service. -size 0 means all packets are captured regardless of packet size.
start nstrace -filter “DESTIP == 192.168.0.242” -link ENABLE – Captures all traffic to destination IP 192.168.0.242. The -link ENABLE switch is used to capture return traffic from 192.168.0.242.
start nstrace -filter “DESTIP == x.x.x.x” – Captures all traffic to destination IP.
start nstrace -filter “SRCIP == x.x.x.x” – Captures traffic sent from source IP.
start nstrace -filter “DESTPORT == 443” – Captures traffic where the destination port is 443.
start nstrace -filter “SRCIP == x.x.x.x && DESTPORT == xx” – Captures traffic from a specified source IP and a specified destination port.
Some default commands/expressions:
Note: These expressions are the same onces you can use to filter traffic when running nstrace from the GUI. I prefer to use these expressions.
start nstrace -filter CONNECTION.SRCIP.EQ(192.168.0.100) -link ENABLED – Captures all traffic to and from 192.168.0.100.
start nstrace -filter CONNECTION.SRCIP.NE(192.168.0.100) – Captures all source traffic apart from when the source is 192.168.0.100.
start nstrace -filter “CONNECTION.SRCIP.EQ(192.168.0.100) || CONNECTION.DSTPORT.EQ(443)” – Captures all traffic from 192.168.0.100 with the destination port as 443.
start nstrace -filter “CONNECTION.DSTIP.EQ(192.168.0.15) || CONNECTION.DSTIP.EQ(192.168.0.16) || CONNECTION.DSTIP.EQ(192.168.0.17)” -link ENABLED – Captures traffic to and from three IP addresses.
start nstrace -filter CONNECTION.INTF.EQ(“0/1”) – Captures all traffic flowing in and out of interface 0/1.
start nstrace -filter CONNECTION.VLANID.EQ.(205) – Captures all traffic flowing in and out of VLAN 205.
start nstrace -filter CONNECTION.DSTPORT.BETWEEN(80,180) – Captures traffic when the destination port is between 80 and 180.
start nstrace -filter CONNECTION.LB_VSERVER.NAME.EQ(“name”) – Captures traffic to the specified Load Balanced Virtual Server.
start nstrace -filter CONNECTION.SERVICE_TYPE.EQ(SSL) – Captures all SSL traffic.
start nstrace -filter CONNECTION.SERVICE_TYPE.EQ(MONITOR_PING) – Captures all ping requests sent by a monitor including replies.
start nstrace -size 0 -nf 10 -time 120 – Starts an nstrace using circular logging. A maximum of 10 separate logs will be generates, each new log is generated every 120 seconds.
Nstcpdump can be used for more low-level troubleshooting. Nstcpdump does not collect as much detailed information as nstrace. Open NetScaler CLI and type shell. You can use filters with nstcpdump but cannot use filters specific to NetScaler resources. The dump output can be viewed directly within the CLI screen.
CTRL + C – Press these keys simultaneously to stop an nstcpdump.
nstcpdump.sh dst host x.x.x.x – Shows traffic sent to the destination host .
nstcpdump.sh src host x.x.x.x – Shows traffic from specified host.
nstcpdump.sh host x.x.x.x – Shows traffic to and from specified host IP.
nstcpdump.sh -c 10 dst host 192.168.0.242 – Outputs the first 10 packets from destination 192.168.0.242.
nstcpdump.sh dst host 192.168.0.242 and port 443 – Outputs traffic destined for 192.168.0.242 on port 443.
nstcpdump.sh src host x.x.x.x and port xx – Outputs traffic from specified source IP and specified port .
nstcpdump.sh host x.x.x.x and host x.x.x.x – Shows trafic between two specified host IPs.
nstcpdump.sh icmp – Outputs all sent and replied echo requests. NetScaler uses ICMP to track up/down status of DNS servers configured on NetScaler for example.
Note: Pings to DNS come from the SNIP, using static routes to force these pings through the NSIP for example will not work.
nstcpdump.sh icmp and dst host x.x.x.x – Outputs all sent echo requests to a specified destination host.
nstcpdump.sh icmp and dst host x.x.x.x -w /var/nstrace/output.cap – Outputs all sent echo request to a specified destination host and saves the output in the specified cap file.
nstcpdump.sh udp and not port 3003 and not port 1985 – Outputs all UDP traffic but excludes traffic on port 3003 and 1985.