Jump to content
Welcome to our new Citrix community!

nstrace assistance


Recommended Posts

Dear Community,

 

Our Netscaler is seemingly sending suspect traffic to several suspect external IP addresses. After scouring the configs I cannot figure out why it is doing this. The traffic is originating from the Netscalers Management IP address. I am trying to run the nstrace utility to see if it is truly the Netscaler sending the traffic, however, I ran into the following issue:

 

image.thumb.png.10526b019d8e57d5ce2198941964d3da.png

 

The device keeps telling me the expression is invalid. Can someone assist?

 

Thank you. 

Link to comment
Share on other sites

Which version of the firmware are you on as nstrace uses different syntax pre 11.0 vs post 11.0.  (not exactly at 11.0 but it does vary)  (Destip == <ip>) is 9.x support mostly.

Syntax is easy to see using the expression builder for nstrace in the GUI if you need additional info.  Back in the 9.2-9.3 there were syntax variances between 9.x and 10.x prior to 11-ish.

If prior to 11.0 state your version (or use gui to see syntax supported is the easy way):  System > Diagnostics > nstrace.  But since you are using "start nstrace" the below should be fine.

 

post 11.0 filters use advanced syntax and instead of client.<stuff>  or server.<stuff> the nstrace uses connection.<network stuff>

Like so:

connection.ip.eq(x.x.x.x)

 

Then the -link enabled will catch all associated traffic to/from that IP.

Don't forget to adjust packet size and whether or not you do or don't want cap vs pacap format...

 

start nstrace -traceformat pcap -size 0 -filter "connection.ip.eq(x.x.x.x)" -link enabled

# other values as needed; again see GUI for easy view of options and then view syslog to see what the cli version would be

stop nstrace

# when complete...

 

One other note, 11.x and later, the nstrace at least in the GUI doesn't except <spaces> between clauses if you do a compound expression:

GUI won't like this: 

connection.IP.EQ(192.168.10.254) || connection.IP.EQ(192.168.10.253) 

But will take it without the spaces around the OR sign ||

connection.IP.EQ(192.168.10.254)||connection.IP.EQ(192.168.10.253)  

 

Don't know if it makes a difference at cli; but GUI chokes on it since 11.1 (or 11.0) and later; though it used to not care.

 

  • Like 2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...