Commonly Used Options and Filters with nstcpdump.sh NetScaler Script

  • -i<Interface_Number>: to restrict recording of the packets to the specified interface. You can use this option multiple times to select multiple interfaces.

Note: The -i, -r and -F are not supported on NetScaler 10.5 and the following message will be displayed when any command is used with this option:

nstcpdump.sh: utility to view/save/sniff LIVE packet capture on NETSCALER boxtcpdump version 4.0.0libpcap version 1.0.0Usage: tcpdump [-aAdDefKlLnNOpqRStuUvxX] [ -c count ][ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ][ -i interface ] [ -M secret ] [ -r file ][ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ][ -y datalinktype ] [ -z command ] [ -Z user ][ expression ]NOTE: tcpdump options -i, -r and -F are NOT SUPPORTED by this utility

For NetScaler 10.5, if you want to filter traffic based on the interface, then the following command can be used:

start nstrace –size 0 –tcpdump ENABLED –filter CONNECTION.INTF.EQ(“1/1”)

Filter Expressions

The following is a list of some options you can use in the filter expression. You can combine multiple expressions by using the boolean operators.

  • host <IP_Address>: to restrict recording of the packets to or from the specified host IP address.

  • net <Subnet_Address> mask <Netmask>: to restrict recording of the packets from the specified subnet.

  • port <Port_Number>: to restrict recording of the packets for the specified TCP or UDP port.

  • portrange <From_Port_Number>-<To_Port_Number>: to restrict recording of the packets for the specified range of the TCP or UDP port numbers.

  • dst port <Port_Number>: to restrict recording of the packets for the specified destination TCP or UDP port numbers.

  • src port <Port_Number>: to restrict recording of the packets from the specified source TCP or UDP port numbers.

  • tcp: to restrict recording of the packets only to the TCP packets. This option is a substitute for the ip proto x option.

  • udp: to restrict recording of the packets only to the UDP packets.

  • arp: to restrict recording of the packets only to the ARP packets.

  • icmp: to restrict recording of the packets only to the ICMP packets.

The operators that can be used with filter expressions are ==, eq, !=, neq, >, gt, <, lt, >=, ge, <=, le, and BETWEEN. Additionally, multiple sets of qualifiers can be used with boolean && or || operator.

Examples

The following are some of the examples for running the nstcpdump.sh script:

  • root@ns# nstcpdump.sh -X dst host 10.102.13.14 and port 80

    The output of this command is displayed on stdout and consists of all tcp port 80 traffic destined to the 10.102.13.14 IP address.

  • root@ns# nstcpdump.sh -w /var/trace/trace1.cap -i 1/1 -i ½

    The output of this command is directed to the /var/trace/trace1.cap file and consists of all traffic on the interfaces 1/1 and 1/2.

  • root@ns# nstcpdump.sh -w /var/trace/trace2.cap host 10.102.13.14 and not port 443

    The output of this command is directed to the /var/trace/trace2.cap file and consists of all traffic to or from the host IP address 10.102.13.14 and which does not have destination or source port as 443.

  • root@ns# nstcpdump.sh host 10.102.13.14 and host 10.102.13.15

    The output of this command is displayed on stdout and consists of all traffic between the host 10.102.13.14 and 10.102.1315 IP addresses.

Sample Output

The following is a sample output of the nstcpdump.sh script:

root@103# nstcpdump.sh port 80Setting 1000 pages (4000 KB) of trace buffers ... Done.Enabling all nic trace mode=6 ... Done.Changing trace packet length from 0 to 0 ... Done.Saving current trace data in file 'pipe' for '3600' seconds ... in TCPDUMP format18:17:13.391479 10.198.4.112.29221 > 10.198.4.41.http: S 1430428239:1430428239(0) win 8190 <mss 1460>18:17:13.391599 10.198.4.41.http > 10.198.4.112.29221: R 0:0(0) ack 1430428240 win 0 (DF)18:17:13.691462 10.198.4.112.29217 > 10.198.4.204.http: R 1430282160:1430282160(0) win 980018:17:13.691467 10.198.4.112.29217 > 10.198.4.204.http: R 1430282160:1430282160(0) win 980018:17:16.091528 127.0.0.2.61049 > localhost.http: S 1430522929:1430522929(0) win 8190 <mss 1460>18:17:16.091566 localhost.http > 127.0.0.2.61049: S 1213225328:1213225328(0) ack 1430522930 win 57344 <mss 1460> (DF)18:17:16.091570 127.0.0.2.61049 > localhost.http: F 1:1(0) ack 1 win 819018:17:16.091585 localhost.http > 127.0.0.2.61049: . ack 2 win 58400 (DF)18:17:16.091654 localhost.http > 127.0.0.2.61049: F 1:1(0) ack 2 win 58400 (DF)18:17:16.091665 127.0.0.2.61049 > localhost.http: . ack 2 win 8190/div>

The following table contains the details of the entry highlighted in the preceding output:

Timestamp Source IP Source Port Direction Destination IP Destination Port TCP Flags Sequence Number Additional Info

18:17:13.391479

10.198.4.112

.29221 > 10.198.4.41 .http: S 1430428239:1430428239(0) win 8190 <mss 1460>

Related:

  • No Related Posts

Leave a Reply