The NetScaler has two separate mechanisms available to capture the network traffic through the appliance: nstrace.sh and nstcpdump.sh. NStrace records network packets trace in the native NetScaler trace format, which provides specific NIC device information including device number and whether the packet was transmitted or received. However, the current stable version of wireshark can’t read the packet capture.
After I did a bit of research, I found the development version of Wireshark can open nstrace packet capture properly. Below shows the wireshark developement version which i use to open the standard nstrace packet capture.
In addition, nstrace CLI do provide the option to perform a standard tcpdump packet capture. The captured packets can be read by wireshark stable release.
nstrace -filter “ip==10.1.1.98 || ip==10.1.1.218” -size 0 -tcpdump enabled