How to record a packet trace on Citrix ADC 编辑

This troubleshooting article explains how an administrator can record a network packet trace using the Citrix ADC GUI.

Points to remember

• Citrix recommends you to use the recent Wireshark version from the “automated build section” available in the following webpage: http://www.wireshark.org/download/automated.

• In Citrix ADC version 11.1 or later, to decrypt the capture and ensure ECC (Elliptic Curve Cryptography), Session Reuse and DH parameters are disabled from the virtual server. You must do before you capture a trace.

Record packet trace on NetScaler version 11.1

1. Navigate to System > Diagnostics page.

2. click the Start new trace link in the Diagnostic page, as shown in the following screenshot.

   

3. Update the packet size to 0 in the Packet size field.

   

4. Click Start to start recording the network packet trace.

5. Click Stop and Download to stop recording the network packet trace after the test is complete.

   

6. Select the required file and click Select and click Download.

   

7. Open the network packet trace file with the Wireshark utility to display the content of the file.

   Note: Select Decrypted SSL packets (SSLPLAIN) to decrypt the packet trace without the private key.

   

Capture SSL master keys

In the 11.0, 11.1 version and above there is an option to capture the session keys which is valid for only for that particular session/nstrace and this option can be used if you do not want to share the private key or use SSLPLAIN mode. For more information, see https://support.citrix.com/article/CTX135889.

Export Session Keys without sharing Private key

In most of the scenarios the private key is not available or shared. In such scenarios we can suggest exporting the SSL session keys instead of the private key. Read, [How to Export and Use SSL Session Keys to Decrypt SSL Traces Without Sharing the SSL Private Key, see https://support.citrix.com/article/CTX135889.

Filters

Also, it is always recommended to add IP based filters while taking traces. The process ensures that you capture only interested traffic which eases your troubleshooting. Adding filters also decreases the load on the appliance while taking traces.

Simple IP-based filters are enough to get the right captures. For more information about nstrace filters and examples, see Citrix Documentation page.

Use case to capture a packet trace with virtual server IP filter (both front-end and back end)

Using a filter of the virtual server IP address and enabling the option “–link” in CLI or selecting the option “Trace filtered connection peer traffic” in GUI (available 10.1 and above), you can capture both the front-end and back-end traffic for the IP address.

start nstrace -size 0 -filter "CONNECTION.IP.EQ(1.1.1.1)" -link ENABLED

show nstrace
        State:  RUNNING          Scope:  LOCAL            TraceLocation:  "/var/nstrace/24Mar2017_16_00_19/..." Nf:  24  Time:  3600              Size:  0 Mode:  TXB NEW_RX
        Traceformat:  NSCAP      PerNIC:  DISABLED        FileName:  24Mar2017_16_00_19 Filter:  "CONNECTION.IP.EQ(1.1.1.1)" Link:  ENABLED           Merge:  ONSTOP           Doruntimecleanup:  ENABLED
        TraceBuffers:  5000      SkipRPC:  DISABLED       Capsslkeys:  DISABLED    InMemoryTrace:  DISABLED
<!--NeedCopy-->