Note: The -i, -r and -F are not supported on NetScaler 10.5 and the following message will be displayed when any command is used with this option:
nstcpdump.sh: utility to view/save/sniff LIVE packet capture on NETSCALER boxtcpdump version 4.0.0libpcap version 1.0.0Usage: tcpdump [-aAdDefKlLnNOpqRStuUvxX] [ -c count ][ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ][ -i interface ] [ -M secret ] [ -r file ][ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ][ -y datalinktype ] [ -z command ] [ -Z user ][ expression ]NOTE: tcpdump options -i, -r and -F are NOT SUPPORTED by this utility
For NetScaler 10.5, if you want to filter traffic based on the interface, then the following command can be used:
start nstrace –size 0 –tcpdump ENABLED –filter CONNECTION.INTF.EQ(“1/1”)
Filter Expressions
The following is a list of some options you can use in the filter expression. You can combine multiple expressions by using the boolean operators.
The operators that can be used with filter expressions are ==, eq, !=, neq, >, gt, <, lt, >=, ge, <=, le, and BETWEEN. Additionally, multiple sets of qualifiers can be used with boolean && or || operator.
Examples
The following are some of the examples for running the nstcpdump.sh script:
Sample Output
The following is a sample output of the nstcpdump.sh script:
root@103# nstcpdump.sh port 80Setting 1000 pages (4000 KB) of trace buffers ... Done.Enabling all nic trace mode=6 ... Done.Changing trace packet length from 0 to 0 ... Done.Saving current trace data in file 'pipe' for '3600' seconds ... in TCPDUMP format18:17:13.391479 10.198.4.112.29221 > 10.198.4.41.http: S 1430428239:1430428239(0) win 8190 <mss 1460>18:17:13.391599 10.198.4.41.http > 10.198.4.112.29221: R 0:0(0) ack 1430428240 win 0 (DF)18:17:13.691462 10.198.4.112.29217 > 10.198.4.204.http: R 1430282160:1430282160(0) win 980018:17:13.691467 10.198.4.112.29217 > 10.198.4.204.http: R 1430282160:1430282160(0) win 980018:17:16.091528 127.0.0.2.61049 > localhost.http: S 1430522929:1430522929(0) win 8190 <mss 1460>18:17:16.091566 localhost.http > 127.0.0.2.61049: S 1213225328:1213225328(0) ack 1430522930 win 57344 <mss 1460> (DF)18:17:16.091570 127.0.0.2.61049 > localhost.http: F 1:1(0) ack 1 win 819018:17:16.091585 localhost.http > 127.0.0.2.61049: . ack 2 win 58400 (DF)18:17:16.091654 localhost.http > 127.0.0.2.61049: F 1:1(0) ack 2 win 58400 (DF)18:17:16.091665 127.0.0.2.61049 > localhost.http: . ack 2 win 8190/div>
The following table contains the details of the entry highlighted in the preceding output:
Timestamp |
Source IP |
Source Port |
Direction |
Destination IP |
Destination Port |
TCP Flags |
Sequence Number |
Additional Info |
18:17:13.391479
|
10.198.4.112
|
.29221 |
> |
10.198.4.41 |
.http: |
S |
1430428239:1430428239(0) |
win 8190 <mss 1460> |