How to Record Network Packet Trace on NetScaler Appliance

This article describes how to record network packet trace using the Graphical User Interface (GUI) of a NetScaler appliance.

Points to Note

• Citrix recommends the use of "Live on the Bleeding Edge" Wireshark version from the "automated build section" of the following web link: http://www.wireshark.org/download/automated.

• In NetScaler software release 10.5 and later, to decrypt the capture, ensure that ECC (Elliptic Curve Cryptography) is disabled/removed from the virtual server before the trace is captured. For detailed steps refer to the Additional Resources section of this article.

To record the network packet trace on a NetScaler appliance, complete the following procedure based on the NetScaler firmware:

• NetScaler 9.3 - 10.1
• NetScaler 10.5 and Later

NetScaler 9.3 - 10.1

1. Expand the System node of the navigation pane on the appliance.

2. Select the Diagnostics node.

3. Click the Start new trace link in the Diagnostics page, as shown in the following screenshot:

   

4. Update the packet size to 0??in the Packet size field.

5. Select nstrace??as the Trace file format.
   Note: If NetScaler headers are not required then select tcpdump.

   

6. Click Start to start recording the network packet trace.

7. Click Stop to stop recording the network packet trace after the test is complete.

   

   An nstrace.cap file is generated, which contains the network packet trace.

8. Click Download.

9. Select the required file and click Select.

   

10. Click Browse in the Download Files dialog box to specify a location on the system to download the file.

11. Click Download, as shown in the following screen shot to download the selected file:

    

    Open the network packet trace file with the Wireshark utility to display the content of the file.

NetScaler 10.5 and Later

1. Expand the??System??node of the navigation pane on the appliance.

2. Select the??Diagnostics??node.

3. Click the??Start new trace??link under Technical Support Tools as shown in the following screen shot:

   

4. Update the packet size to??0??in the??Packet Size??field.

   

   Note:??If NetScaler headers are not required then select Capture trace in .pcap format.

5. Click??Start??to start recording the network packet trace.

6. Click OK??to stop recording the network packet trace after the test is complete.

   

   An nstrace.cap file is generated, which contains the network packet trace.

7. Highlight the required file and click??Download.

   

8. Specify a destination and save the packet trace.

9. Open the network packet trace file with the Wireshark utility to display the content of the file.

Note: Select Decrypted SSL packets (SSLPLAIN) to decrypt the packet trace without the private key.

Additionally, it is always recommended to add ip based filters while taking traces. This will ensure that you will capture only interested traffic which will further ease your troubleshooting.
Adding filters will also decrease the load on Netscaler while taking traces.

You will find the option to configure filters on the same page:


Simple IP based filters are enough to get the right captures. But you have additional options also.

Note:
On a unit handling Gigabytes of traffic per second, capturing traffic is a very resource intensive process.
The impact to resources is mainly in terms of CPU and Disk Space.
Disk Space impact can be reduced by using filtering expressions (e.g. capturing traffic only related to a particular IP).However the impact on CPU remains despite using expressions and in some cases might cause a slight further increase as NetScaler now needs to process packets according to the filter before capturing them.

??The best practise with regards to tracing are:
1. The duration for which the trace is run should be as limited as possible while still ensuring the packets of interest are captured.
2. Schedule the tracing activity to happen at a time when the number of users (and hence the traffic) is greatly reduced, such as during off hours.

Refer to the Wireshark Go deep web page for more information about the Wireshark utility.

Disable ECC Curve on Virtual Server from NetScaler GUI

1. Open the virtual server and navigate to ECC Curve.

   

2. If no ECC Curve is bound to the virtual server then no other action is required.

   

3. If any ECC Curve is bound to the virtual server then click the ECC Curve and Unbind it from the virtual server.

   

Disable ECC Curve on Virtual Server from NetScaler CLI

1. SSH to the NetScaler.

2. Run the following command for each ECC Curve bound to the virtual server:
   unbind ssl vserver "vServer_Name" -eccCurveName "ECC_Curve_Name"