Product Documentation

Tracing the Packets of a NetScaler Cluster

Feb 09, 2015

The NetScaler operating system provides a utility called nstrace to get a dump of the packets that are received and sent out by an appliance. The utility stores the packets in trace files. You can use these files to debug problems in the flow of packets to the cluster nodes. The trace files must be viewed with the Wireshark application.

Some salient aspects of the nstrace utility are:

  • Can be configured to trace packets selectively by using classic expressions and default expressions.
  • Can capture the trace in multiple formats: nstrace format (.cap) and TCP dump format (.pcap).
  • Can aggregate the trace files of all cluster nodes on the configuration coordinator.
  • Can merge multiple trace files into a single trace file (only for .cap files).

You can use the nstrace utility from the NetScaler command line or the NetScaler shell.

To trace packets of a standalone appliance

Run the start nstrace command on the appliance. The command creates trace files in the /var/nstrace/<date-timestamp> directory. The trace file names are of the form nstrace<id>.cap.

You can view the status by executing the show nstrace command. You can stop tracing the packets by executing the stop nstrace command.

Note: You can also run the nstrace utility from the NetScaler shell by executing the file. However, it is recommended that you use the nstrace utility through the NetScaler command line interface.

To trace packets of a cluster

You can trace the packets on all the cluster nodes and obtain all the trace files on the configuration coordinator.

Run the start nstrace command on the cluster IP address. The command is propagated and executed on all the cluster nodes. The trace files are stored in individual cluster nodes in the /var/nstrace/<date-timestamp> directory. The trace file names are of the form nstrace<id>_node<id>.cap.

You can use the trace files of each node to debug the nodes operations. But if you want the trace files of all cluster nodes in one location, you must run the stop nstrace command on the cluster IP address. The trace files of all the nodes are downloaded on the cluster configuration coordinator in the /var/nstrace/<date-timestamp> directory as follows:

Merge multiple trace files

You can prepare a single file from the trace files (supported only for .cap files) obtained from the cluster nodes. The single trace files gives you a cumulative view of the trace of the cluster packets. The trace entries in the single trace file are sorted based on the time the packets were received on the cluster.

To merge the trace files, at the NetScaler shell, type: -srcdir <DIR> -dstdir <DIR> -filename <name> -filesize <num>


  • srcdir is the directory from which the trace files are merged. All trace files within this directory are merged into a single file.
  • dstdir is the directory where the merged trace file are created.
  • filename is the name of the trace file that is created.
  • filesize is the size of the trace file.


Following are some examples of using the nstrace utility to filter packets.

  • To trace the packets on the backplane interfaces of three nodes:

    Using classic expressions:

    start nstrace -filter "INTF == 0/1/1 && INTF == 1/1/1 && INTF == 2/1/1"

    Using default expressions:

    start nstrace -filter "CONNECTION.INTF.EQ("0/1/1") && CONNECTION.INTF.EQ("1/1/1") && CONNECTION.INTF.EQ("2/1/1")"
  • To trace the packets from a source IP address or from a system whose source port is greater than 80 and the service name is not "s1":

    Using classic expressions

    start nstrace -filter "SOURCEIP == || (SVCNAME != s1 && SOURCEPORT > 80)"

    Using default expressions

    start nstrace -filter "CONNECTION.SRCIP.EQ( || (CONNECTION.SVCNAME.NE("s1") && CONNECTION.SRCPORT.GT(80))"