With the filter driver, the Zscaler service handles traffic on the system at a low level. Traditional packet capture tools (e.g., Wireshark) might not see all traffic for troubleshooting purposes.

Zscaler Client Connector version 1.3 and later includes a packet capture feature that allows users to capture traffic specific to the app. This feature captures packets at the driver level. It does not capture all packets on all network adapters. Instead, only the packets that pass through the filter driver are captured.

For Zscaler Client Connector version 1.5 and later, this feature captures packets at the adapter level and captures all packets on all network adapters.

Enabling Zscaler Digital Experience (ZDX) installs Npcap.

Using the Start Packet Capture Option

When reproducing an issue that requires packet capture:

1. In Zscaler Client Connector, click More.
2. In the Troubleshoot section, click Start Packet Capture and modify the following settings:
   • Run Session For: Select the time limit you want to run the packet captures for. The default setting is 5 mins.
   • Disk Space Limit: Select the storage space for the PCAP file. Each PCAP file is stored at half the size of the selected disk space limit and the oldest PCAP file is deleted. For example, if a limit of 500 MB is chosen, two PCAP files are created in sequence, each with a size of 250 MB. If the packet capture space limit exceeds 500 MB, the first (oldest) file is deleted. The default setting is 200MB.
   • Frame Size Limit: Select the packet payload length. The default setting is 1514.
   • Packet Capture Filter: Enter filter text to filter the packets. If left empty, all packets are captured. If invalid text is entered, an error message is displayed.
3. Click Start to run the packet capture.

4. Reproduce the issue.
5. Click Stop Packet Capture after you resolve the issue.

If the user forgets to stop the packet capture, it automatically stops after the time limit set in Run Session For has expired.

Duplicate packets are created in a packet capture to use for troubleshooting. The duplicate packets are not sent to the destination.

Packet Capture Files

Packet capture files are stored with Zscaler Client Connector logs in the following locations:

• Windows: %ProgramData%\Zscaler\log-<random numbers>

%ProgramFiles(x86)% and %ProgramFiles% are macros that represent the drive where the Windows program files are located. Typically, program files are located on the C drive. However, there are exceptions (e.g., on Amazon WorkSpaces, program files are on the D drive).

• macOS: /Library/Application Support/com.zscaler.Zscaler

For ARM processor-based macOS devices, the path is /Library/Application Support/Zscaler.

• Linux: /var/log/zscaler/.Zscaler/Logs

Packet capture files have the prefix CaptureAdapters (Windows can also have the prefix CaptureLWF), followed by a timestamp and the file extension .pcap.

You can export packet capture files to a secondary location by browsing to the desired location when you export logs.

Examples of packet capture files:

CaptureAdapters_2020-07-28-17-13-49.822349.pcap

CaptureLWF_2020-07-28-17-13-49.822349.pcap

You might need to select the option to display hidden files to view the packet capture file.

Packet capture files are exported to the archive that is generated when using the Export Logs option from Zscaler Client Connector. To learn more, see Using Zscaler Client Connector.

However, these files are not exported to the archive that is generated when using the Report an Issue option from Zscaler Client Connector. You must send the files to Zscaler Support for assessment.