NetScaler has long had the ability to take network traces and analyze it in tools like WireShark. Network traces can be captured in standard tcpdump format or a NetScaler specific format. The NetScaler specific format has additional connection information that makes it easier to troubleshoot issues. For a long while, NetScaler engineers used a modified WireShark version (previously called Ethereal) to view and analyze NetScaler traces.

Recently, our developers contributed this patch to the open source Wireshark development and the next version (1.3.0) of Wireshark will include the ability to understand NetScaler format packet traces. In the interim, the modified Wireshark version is available for download at CTX122313. This version will work on Windows. The article also shows how you can use the NetScaler traces to use the additional data.

To capture a network trace on the NetScaler, you need to log in to the command line interface and get into the shell (by typing shell).
To capture a trace in the NetScaler format, type in
#nstrace.sh -sz 0

-sz 0 captures the full packet. With no argument (default), only the first 164 bytes of the packet are captured.

You can also use the GUI to capture traces (under System/ Diagnostics).
#nstrace.sh -help
details the other options available.

Upload the file to using ftp, scp etc and analyze using the modified Wireshark.

To capture traces in the tcpdump format,
#nstcpdump.sh
(Most standard tcpdump options are supported)