Session Reliability tracing RRS feed

  • Question

  • I am capturing packets from a client machine back to a Citrix server to determine latency, size of keep-alive packets for Citrix. I see several packets but having a difficult time to discover which packet is the keep-alive. If anyone has captured these and can give me insite on how to read them.
    Friday, November 5, 2010 1:02 PM

All replies

  • Keep-alives are often zero or one byte length TCP frames.  Looking up Citrix and Keep-Alives I see reference to an ICA frame.  I don't know what this looks like but if this RDP traffic, then perhaps you can see a clue in the parsed frame.

    The other indication of a keep-alive frame is you'll see a delay from last frame sent on the conversation.  A keep-alive is usually sent when nothing occurs for some specified ammount of time (like 30 or 60 seconds).  One way to find this frame is to look at the time-delta column when focusing on a TCP conversation in the tree.

    You can also filter on the time delta and look for everything greater than 1 second.  The only caveat here is that you'll need to save each TCP thread separately and reload it.  Then you can filter on FrameVariable.TimeDelta > 10000000 for every frame that has greater than 1 second delay.  This might help you discover what the keep-alive frames look like.


    Friday, November 5, 2010 4:09 PM
  • Thanks for the insight. I will take a look. I was concentrating on the Wfica.exe packets to see which one it is. Also looking at the destination/port. These servers have session reliability turned on which means it all goes thorugh port 2598.
    Friday, November 5, 2010 5:25 PM
  • If you need to remap a port so it gets parsed in Network Monitor, you can do this using the following FAQ which is linked off our Blog (http://blogs.technet.com/b/netmon) on the support Tab.


    Friday, November 5, 2010 6:16 PM