Citrix Debug HDX with WireShark
Overview
Wireshark can capture and analyze
HDX/ICA traffic, but to make it effective, you
should combine it with Citrix display protocols (ICA/HDX) filters, DTLS
decryption (if possible), and custom profiles or scripts that
highlight latency, retransmissions, and protocol behavior.
Below is a guide to capture HDX
session traffic, along with custom Wireshark filters and templates for
debugging ICA latency, EDT issues, and HDX performance bottlenecks.
Wireshark HDX/ICA Debugging Setup
- Run Wireshark on the endpoint or VDA
- Capture on the NIC (e.g., Ethernet
or Wi-Fi)
- Use this capture filter to limit traffic:
host
<VDA IP> and (tcp port 1494 or tcp port 2598 or udp port 443)
1494
= ICA, 2598
= Session Reliability, 443 UDP = EDT/DTLS
Wireshark Display Filters for HDX/ICA Analysis
Use these display filters in
Wireshark after capture to drill into ICA traffic:
tcp.port
== 1494 || tcp.port == 2598 || udp.port == 443
udp.port
== 443 && dtls
ICA Retransmissions (high latency symptom)
tcp.analysis.retransmission
|| tcp.analysis.fast_retransmission
tcp.analysis.ack_rtt
Then go to:
Statistics → TCP Stream Graphs → RTT to visualize latency spikes.
Wireshark ICA/HDX Profile or Script
You can create a custom Wireshark
profile to automatically apply filters and coloring rules.
Here’s what you can include in your
profile:
|
Rule
Name |
Filter |
Color |
|
ICA TCP |
tcp.port == 1494 |
Blue |
|
Session Reliability |
tcp.port == 2598 |
Green |
|
EDT/UDP |
udp.port == 443 |
Orange |
|
Retransmission |
tcp.analysis.retransmission |
Red |
|
High RTT |
tcp.analysis.ack_rtt > 0.200 |
Yellow |
To create a profile:
- Wireshark → Help
→ About → Folders → find your profiles directory
- Create folder CitrixHDX
- Inside it, create:
- colorfilters
file with above rules
- dfilters
file with your ICA filters
- Save and switch to the CitrixHDX profile in Wireshark
- Citrix offers CDFControl for component tracing,
and that can work alongside Wireshark
- NetScaler Trace (nstrace) can be opened in Wireshark for ICA-level visibility
(especially EDT over Gateway)
- Combine ctxmonitor logs with Wireshark trace timestamps to correlate
spikes
If using EDT (UDP/DTLS), the
traffic is encrypted and not readable in Wireshark unless:
- You capture on the VDA before encryption
- OR you perform a NetScaler nstrace with decryption
enabled
Otherwise, you're mostly checking packet
size, jitter, and flow, not content.
To trace EDT fallback to TCP,
apply:
frame
contains "X-Citrix-Transport"
Look for changes like:
X-Citrix-Transport:
UDP -> TCP
This is your smoking gun that
EDT failed and fell back to TCP — often causes latency jumps.
No comments:
Post a Comment