Read the Citrix nstrace packet capture by wireshark

The NetScaler has two separate mechanisms available to capture the network traffic through the appliance: nstrace.sh and nstcpdump.sh. NStrace records network packets trace in the native NetScaler trace format, which provides specific NIC device information including device number and whether the packet was transmitted or received. However, the current stable version of wireshark can’t read the packet capture.

After I did a bit of research, I found the development version of Wireshark can open nstrace packet capture properly. Below shows the wireshark developement version which i use to open the standard nstrace packet capture.

Nstrace1

In addition, nstrace CLI do provide the option to perform a standard tcpdump packet capture. The captured packets can be read by wireshark stable release.

nstrace -filter “ip==10.1.1.98 || ip==10.1.1.218” -size 0 -tcpdump enabled

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s