When you do a netscaler packet capture, you will get a lot of information and your ability to decipher whats going on requires years and years of training. Sometimes is even the absence of packets thats the problem, which does not make it easier.
I was implementing “Content Inspection” (forward traffic to IDS/IPS device) and was working with terms like ingress and egress interfaces. I was seeing traffic coming to the ADC and wanted to verify it was being forwarded.
When you open the trace in wireshark, there is a section called “NetScaler Packet Trace” which could look like this:
NetScaler Packet Trace
Operation: TXB (0xad)
Nic No: 14
Activity Flags: 0x00000000
Capture Flags: 0x00000000
Errorcode: No Error (0x00)
App: TEST (0x17)
Core Id: 8
Linked PcbDevNo: 0x00000000
TCP Debug Info
I was seeing the initial request coming in on “Nic No: 9” and i knew that was my 10/4 uplink. Using the “show interface” command, i could see which nic no it was (snippet below)
show interface 10/4
1) Interface 10/4 (10G Ethernet, SR, 10 Gbit) #9
MTU=1500, native vlan=1, MAC=00:e0:ed:9d:89:b5, uptime 24h47m55s
Requested: media AUTO, speed AUTO, duplex AUTO, fctl OFF,
I also knew where my ingress interface was configured, so a show interface 10/2 revealed that it was Nic No: 6, and a wireshark filter; nstrace.nicno == 6 revealed that i was sending packets to my IDS/IPS device.
This is just one little step in the world of tracing on NetScaler, i hope it helps someone out there, and i hope a Citrix employee will grab a keyboard an write up a proper documentation (with examples!) to further grow the knowledge in this area – its really needed.
Thanks great info to have.We are also trying to get content inspection going. We got the content inspection configured and can see the traffic is passing through IDS/IPS device.
As per NetScaler it will send decrypt data to inline device and encrypt it while sending to the service group. But in our case the NetScaler is not decrypting the data while sending it to inline device. Any thing we should specifically check on our device.
Any help appreciated.
sorry for the very late reply, i dont get notified about comments.
In my setup, netscaler was sending the decrypted data to the inline device. (going from port 443 to 80), what does the trace show?