Posts All Topics About

Contents

Netscaler Nstrace vs Nstcpdump vs Tcpdump

Citrix Admin published in NetScaler PS Course
   1365 words   7 minutes 
Website Visitors:

Nstrace VS nstcpdump VS tcpdump

In a Netscaler environment, there are three main tools used for capturing and analyzing network traffic: nstrace, nstcpdump, and tcpdump. Here is a comparison of these tools:

  1. nstrace:

    • Functionality: Nstrace is a Netscaler-specific tool that allows you to capture and analyze network traffic, including HTTP, SSL, and other protocols, on a Netscaler appliance.
    • Usage: Nstrace is commonly used for troubleshooting application delivery and networking issues within a Netscaler environment.
    • Features: Nstrace provides detailed visibility into the traffic flowing through the Netscaler appliance, allowing administrators to diagnose and resolve network problems efficiently.
    • Command: The basic command to use nstrace is nstrace <options>, where you can specify various options to capture and filter network traffic on a Netscaler appliance.

  2. nstcpdump:

    • Functionality: Nstcpdump is a Netscaler-specific version of tcpdump that is optimized for capturing network traffic on Netscaler appliances.
    • Usage: Nstcpdump is designed to work seamlessly with Netscaler configurations and provides additional features tailored for Netscaler environments.
    • Features: Nstcpdump may have specific options or enhancements that are optimized for Netscaler appliances, making it easier to capture and analyze traffic in a Netscaler environment.
    • Command: The basic command to use nstcpdump is nstcpdump <options>, where you can specify various options to capture and filter network traffic on a Netscaler appliance.

  3. tcpdump:

    • Functionality: Tcpdump is a widely used command-line packet analyzer tool that allows you to capture and analyze network traffic on a specific interface.
    • Usage: Tcpdump is a versatile tool used for troubleshooting network issues, monitoring network activity, and analyzing packets for security purposes in various network environments.
    • Features: Tcpdump provides a wide range of options for capturing and filtering network traffic, making it a powerful tool for network analysis.
    • Command: The basic command to use tcpdump is tcpdump <options>, where you specify the interface on which you want to capture traffic and apply filters as needed.

When deciding between nstrace, nstcpdump, and tcpdump in a Netscaler environment, consider the specific requirements of your network analysis tasks. Nstrace and nstcpdump are tailored for Netscaler appliances and provide features optimized for Netscaler configurations, while tcpdump is a more general-purpose packet analyzer tool that can be used in various network environments.

nstrace

You can record a packet trace using the NetScaler GUI. The trace is stored in nstrace.cap.

Navigate to System > Diagnostics. Click Start new trace under Technical Support Tools. In the Start Trace page update the following fields:

Packet Size - Enter the size of the packet to capture during the trace. Enter 0 for full packet trace.

Default value: 164 Minimum value: 0 Maximum value: 1514

Check “Capture SSL Master Keys” option, which will capture the SSL session keys that will be useful for decrypting that data in Wireshark. Click start.

Now you can reproduce the issue that you’re capturing the trace for. Once done, stop the trace. It will download nstrace.cap and nstrace.sslkeys files.

Open wireshark and navigate to the nstrace.cap file you just downloaded. In wireshark, goto edit, Preferences and click Protocols. Scroll down and select TLS. Under (Pre)Master secret log filename option, browse for the secret key files that you’ve downloaded(nstrace.sslkeys), and this gives you the ability to encrypt and decrypt SSL traffic.

In wireshark, apply the filter, ip.addr==VIP_IP_Address. This will give us the communication from client to the netscaler. In the lower pane, where you see the packet details like Frame, Ethernet II, Internet Protocol Version, Transmission control protocol etc.. check for the field, “Netscaler packet trace”. Expand it and go to PcbDevNo. Right click and select, apply as filter selected.

This filter will be something like nstrace.pdevno == 0x000075c0 (In the packet details it says pcbdevno, but in filter it shows as pdevno). Now add an or filter to the same existing filter as shown below:

nstrace.pdevno == 0x000075c0 || nstrace.l_pdevno == 0x000075c0 - This includes all the data from client to netscaler and netscaler to backend servers.

You can filter trace to run on specific vservers etc..

start nstrace -size 0 -filter "CONNECTION.IP.EQ(10.10.10.100)" -link ENABLED

TCPdump

Tcpdump is a command-line packet analyzer tool that allows you to capture and analyze network traffic on a specific interface. It is commonly used for troubleshooting network issues, monitoring network activity, and analyzing packets for security purposes.

In Netscaler, tcpdump can be used to capture network traffic on the appliance for troubleshooting purposes. Here is a general outline of how you can use tcpdump in Netscaler:

  1. Access the Netscaler command line interface (CLI) either through SSH or the console.

  2. Use the tcpdump command to start capturing network traffic on a specific interface. For example:

    1

    tcpdump -i <interface> -s 0 -w <output_file>
    • -i <interface>: Specify the interface on which you want to capture traffic.
    • -s 0: Set the snapshot length to 0 to capture the entire packet.
    • -w <output_file>: Write the captured packets to a file for later analysis.

  3. You can also apply filters to tcpdump to capture specific types of traffic. For example, to capture only HTTP traffic:

    1

    tcpdump -i <interface> port 80 -s 0 -w <output_file>

  4. Once you have captured the network traffic, you can analyze the output file using tools like Wireshark to inspect the packets in detail.

Nstcpdump

In Netscaler, nstcpdump is a command-line tool that allows you to capture and analyze network traffic on a Netscaler appliance. nstcpdump is specifically designed for Netscaler environments and provides additional features and optimizations tailored for Netscaler configurations. Here is an overview of how to use nstcpdump in Netscaler along with some examples:

Usage of nstcpdump in Netscaler:

  1. Accessing the Netscaler Command Line Interface (CLI):

    • Log in to the Netscaler appliance using SSH or the console to access the command line interface.

  2. Using nstcpdump:

    • The basic syntax for using nstcpdump is:

      1

      nstcpdump <options>

    • Replace <options> with the specific parameters you want to use for capturing network traffic.

  3. Common Options:

    • Some common options you can use with nstcpdump include:
      • -i <interface>: Specify the interface on which you want to capture traffic.
      • -s <snaplen>: Set the snapshot length to capture a specific portion of each packet.
      • -w <output_file>: Write the captured packets to a file for later analysis.
      • -nn: Display IP addresses and port numbers numerically.
      • -c <count>: Capture a specific number of packets and then stop.

  4. Filtering Traffic:

    • You can apply filters to capture specific types of traffic. For example, to capture only HTTP traffic on interface 0/1:

      1

      nstcpdump -i 0/1 'port 80'

  5. Saving Output to a File:

    • To save the captured packets to a file for further analysis, you can use the -w option. For example:

      1

      nstcpdump -i 0/1 -w capture.pcap

  6. Stopping the Capture:

    • You can stop the capture by pressing Ctrl+C in the command line interface.

Examples of nstcpdump in Netscaler:

  1. Capture traffic on interface 1/1:

    1

    nstcpdump -i 1/1

  2. Capture HTTP traffic on interface 0/0 and save it to a file:

    1

    nstcpdump -i 0/0 'port 80' -w http_capture.pcap

  3. Capture DNS traffic on all interfaces:

    1

    nstcpdump 'port 53'

  4. Capture traffic on interface 1/2 with a snapshot length of 100 bytes:

    1

    nstcpdump -i 1/2 -s 100

Few other examples:

1.) View the traffic for specific IP

nstcpdump.sh host

2.) View the traffic between the specific IP

nstcpdump.sh host and host < host-IP>

3.) View the traffic on specific port

nstcpdump.sh port

4.) Capturing the TCP dump data in Wireshark capture

nstcpdump.sh port -w /var/tmp/test.pcap

5.) Capturing the traffic on multiple interfaces with wireshark

nstcpdump.sh -w /var/tmp/test.pcap -i 1/1 -i 1/2 (Note – i keyword do not work directly without wireshark capture)

6.) View the traffic for specific destination IP & Destination Port

nstcpdump.sh dst host and dst port /// nstcpdump.sh dst host and port

7.) View the traffic for a entire subnet

nstcpdump.sh net mask

8.) View the traffic on specific IP with portrange

nstcpdump.sh host and portrange

nstcpdump.sh host 1.1.1.1 and portrange 65540-65535

9.) Capture the specified amount of packets only

nstcpdump.sh -c 65000 host 1.1.1.1

10.) View the traffic destined for either one of the IP

nstcpdump.sh host 1.1.1.1 or host 2.2.2.2

11.) View the TCP/UDP traffic for specific host

nstcpdump.sh host 1.1.1.1 and tcp /// nstcpdump.sh host 1.1.1.1 and tcp

11.) View the ICMP/ARP traffic for specific host

nstcpdump.sh host 1.1.1.1 and arp /// nstcpdump.sh host 1.1.1.1 and icmp

Source

Want to learn more on Citrix Automations and solutions???

Subscribe to get our latest content by email.

If you like our content, please support us by sponsoring on GitHub below:
Updated on 2024-06-13