Tracing the packets of a Citrix ADC cluster

The Citrix ADC operating system provides a utility calledns traceto get a dump of the packets that are received and sent out by an appliance. The utility stores the packets in trace files. You can use these files to debug problems in the flow of packets to the cluster nodes. The trace files must be viewed with the Wireshark application.

Some salient aspects of the ns trace utility are:

• Can be configured to trace packets selectively by using classic expressions and default expressions.
• Can capture the trace in multiple formats: ns trace format (.cap) and TCP dump format (.pcap).
• Can aggregate the trace files of all cluster nodes on the configuration coordinator.
• Can merge multiple trace files into a single trace file (only for.cap files).

You can use the ns trace utility from the Citrix ADC command line or the Citrix ADC shell.

To trace packets of a standalone appliance

Run the start ns trace command on the appliance. The command creates trace files in the /var/nstrace/ directory. The trace file names are of the form nstrace.cap.

You can view the status by running the show ns trace command. You can stop tracing the packets by running the stop ns trace command.

Note

You can also run the ns trace utility from the Citrix ADC shell by running the nstrace.sh file. However, it is recommended that you use the ns trace utility through the Citrix ADC command line interface.

To trace packets of a cluster

You can trace the packets on all the cluster nodes and obtain all the trace files on the configuration coordinator.

Run the start ns trace command on the cluster IP address. The command is propagated and run on all the cluster nodes. The trace files are stored in individual cluster nodes in the /var/nstrace/directory. The trace file names are of the form nstrace_node.cap.

You can use the trace files of each node to debug the nodes operations. But if you want the trace files of all cluster nodes in one location, you must run the stop ns trace command on the cluster IP address. The trace files of all the nodes are downloaded on the cluster configuration coordinator in the /var/nstrace/directory as follows:

Merge multiple trace files

You can prepare a single file from the trace files (supported only for. Cap files) obtained from the cluster nodes. The single trace files give you a cumulative view of the trace of the cluster packets. The trace entries in the single trace file are sorted based on the time the packets were received on the cluster.

To merge the trace files, at the Citrix ADC shell, type:

> nstracemerge.sh -srcdir \ -dstdir \ -filename \ -filesize \

Where,

• srcdir跟踪文件的目录是我吗rged. All trace files within this directory are merged into a single file.
• dstdiris the directory where the merged trace file is created.
• Filenameis the name of the trace file that is created.
• Filesizeis the size of the trace file.

Examples

Following are some examples of using the ns trace utility to filter packets.

• To trace the packets on the backplane interfaces of three nodes:

  Using classic expressions:

  > start nstrace -filter "INTF == 0/1/1 && INTF == 1/1/1 && INTF == 2/1/1"

  Using default expressions:

  > start nstrace -filter "CONNECTION.INTF.EQ("0/1/1") && CONNECTION.INTF.EQ("1/1/1") && CONNECTION.INTF.EQ("2/1/1")"

• To trace the packets from a source IP address 10.102.34.201 or from a system whose source port is greater than 80 and the service name is not “s1”:

  Using classic expressions

  > start nstrace -filter "SOURCEIP == 10.102.34.201 || (SVCNAME != s1 && SOURCEPORT > 80)"

  Using default expressions

  > start nstrace -filter "CONNECTION.SRCIP.EQ(10.102.34.201) || (CONNECTION.SVCNAME.NE("s1") && CONNECTION.SRCPORT.GT(80))"

Note

For more information about filters used in ns trace, seens trace.

Capturing SSL Session Keys During a Trace

When you run the “start ns trace” command, you can set the newcapsslkeysparameter to capture the SSL master keys for all SSL sessions. If you include this parameter, a file named nstrace.sslkeys is generated along with the packet trace. This file can be imported into Wireshark to decrypt the SSL traffic in the corresponding trace file.

This functionality is similar to web browsers exporting session keys that can later be imported into Wireshark for decrypting SSL traffic.

Advantages of using SSL session keys

Following are the advantages of using SSL session keys:

1. Generates smaller trace files that do not include the extra packets created by the SSLPLAIN mode of capturing.
2. Provides the ability to view plaintext [SP(1] from the trace and choose whether to share the master keys file or protect sensitive data by not sharing it.

Limitations of using SSL session keys

Following are the limitations of using SSL session keys:

1. SSL sessions cannot be decrypted if the initial packets of the session are not captured.
2. SSL会话如果联邦正无法捕捉到的ormation Processing Standard (FIPS) mode is enabled.

To capture SSL session keys by using the command line interface (CLI)

在命令提示符下,键入以下命令to enable or disable SSL session keys in a trace file and verify trace operation.

> start nstrace -capsslkeys ENABLED > show nstrace Example > start nstrace -capsslkeys ENABLED > show nstrace State: RUNNING Scope: LOCAL TraceLocation: "/var/nstrace/04May2016_17_51_54/..." Nf: 24 Time: 3600 Size: 164 Mode: TXB NEW_RX Traceformat: NSCAP PerNIC: DISABLED FileName: 04May2016_17_51_54 Link: DISABLED Merge: ONSTOP Doruntimecleanup: ENABLED TraceBuffers: 5000 SkipRPC: DISABLED SkipLocalSSH: DISABLED Capsslkeys: ENABLED InMemoryTrace: DISABLED Done

To configure SSL session keys by using the Citrix ADC GUI

1. Navigate toConfiguration > System > Diagnostics > Technical Support Toolsand clickStart new Traceto start tracing encrypted packets on an appliance.
2. On theStart Tracepage, select theCapture SSL Master Keyscheck box.
3. ClickOKandDone.

To import the SSL Master Keys into Wireshark

On the Wireshark GUI, navigate toEdit > Preferences > Protocols > SSL > (Pre)-Master-Secret log filenameand specify the master key files obtained from the appliance.