When you do a netscaler packet capture, you will get a lot of information and your ability to decipher whats going on requires years and years of training. Sometimes is even the absence of packets thats the problem, which does not make it easier.
I was implementing “Content Inspection” (forward traffic to IDS/IPS device) and was working with terms like ingress and egress interfaces. I was seeing traffic coming to the ADC and wanted to verify it was being forwarded.
When you open the trace in wireshark, there is a section called “NetScaler Packet Trace” which could look like this:
NetScaler Packet Trace
Operation: TXB (0xad)
Nic No: 14
Activity Flags: 0x00000000
Capture Flags: 0x00000000
Errorcode: No Error (0x00)
App: TEST (0x17)
Core Id: 8
Linked PcbDevNo: 0x00000000
TCP Debug Info
I was seeing the initial request coming in on “Nic No: 9” and i knew that was my 10/4 uplink. Using the “show interface” command, i could see which nic no it was (snippet below)
show interface 10/4
1) Interface 10/4 (10G Ethernet, SR, 10 Gbit) #9
MTU=1500, native vlan=1, MAC=00:e0:ed:9d:89:b5, uptime 24h47m55s
Requested: media AUTO, speed AUTO, duplex AUTO, fctl OFF,
I also knew where my ingress interface was configured, so a show interface 10/2 revealed that it was Nic No: 6, and a wireshark filter; nstrace.nicno == 6 revealed that i was sending packets to my IDS/IPS device.
This is just one little step in the world of tracing on NetScaler, i hope it helps someone out there, and i hope a Citrix employee will grab a keyboard an write up a proper documentation (with examples!) to further grow the knowledge in this area – its really needed.