Netscaler Command Line Packet Capture

How to perform a network packet capture using the Netscaler shell

There's a few different ways to do this

To use nstrace, first log in to the Netscaler

login as: netscaler.user
Using keyboard-interactive authentication.
Password: ****
Last login: Mon Oct  5 12:31:22 2015 from 10.0.0.10
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
        The Regents of the University of California.  All rights reserved.

 Done
>


Then use the nstrace command eg;

nstrace -filter "DESTIP == 10.0.0.20" -link ENABLED -size 0

the -size 0 command grabs the entire packet instead of the packet headers which Netscaler does by default. 

If you want to use multiple filters, then encapsulate them in quotes, and separate them using a double pipe (||)

nstrace -filter "DESTIP == 10.0.0.20 || DESTPORT == 25" -link ENABLED -size 0

The trace file is located under /var/nstrace - use WINSCP to grab the file from the netscaler so that you can open it in Wireshark.

nstrace will automatically call the file nstraceX and suffix the trace number.

> shell
Copyright (c) 1992-2008 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.

root@NS-TEST101#
root@NS-TEST101# ls -las /var/nstrace/
total xxxx
     2 drwxr-xr-x   8 root  wheel        512 Oct  6 12:03 .
     2 drwxr-xr-x  28 root  wheel        512 Apr 11  2014 ..
304384 -rw-r--r--   1 root  wheel  311508992 Oct  5 12:18 nstrace1.cap
 65888 -rw-r--r--   1 root  wheel   67395584 Oct  6 11:41 nstrace2.cap
 56352 -rw-r--r--   1 root  wheel   57655296 Oct  6 12:05 nstrace3.cap
root@NS-TEST101#

You may notice the format is a little funky, because the netscaler uses its own version of the cap format. Older versions of wireshark don't support it. You may prefer to run the capture and use the default winpcap format

nstrace -filter "DESTIP == 10.0.0.150 || DESTPORT == 25" -link ENABLED -size 0 -tcpDump TCPDUMP

those familiar with tcpdump may prefer to use this built into the shell

For the full command reference:
NSTRACE