How to Install Wireshark as a Service to Investigate Virtual Desktop Connection Issues

Here is a great support article from the brilliant guys over at Citrix Support!

First of all you need to download and install Wireshark on the virtual desktop. (accept all defaults). Then, Copy instsrv.exe and srvany.exe from the Windows Server 2003 Resource Kit Tools to the virtual desktop.

Caution! This procedure requires you to edit the registry. Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Back up the registry before you edit it.

1. To find the NIC ID, at a command prompt, type:
<path>tshark -D > NICs.txt

(TShark is the text based version of Wireshark and has less overhead)

2. Edit NICs.txt and locate the NIC ID of the network card.

3. At the command prompt type:
<path>instsrv.exe wireshark <path>srvany.exe

Where path is the folder where the 2003 resource kit is held
This creates service called wireshark.

4. Edit the registry to configure the service:

    a. Run regedit:

    b. Locate the key called HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wireshark

    c. Create key called “parameters”

    d. Create a value of type reg_SZ, called “application” with value of “c:\Program Files\Wireshark\tshark.exe” -i <NIC ID> -t ad -p -n -w c:\citrixlog.pcap

5. Run services.msc, find the wireshark service, check that the security is correct (local service will work – uncheck Allow service to interact with desktop)

6. Restart the virtual desktop (if this is not possible: log off from the virtual desktop and start computer management from a separate computer in the same domain, connect to the virtual desktop and start the wireshark service – although Wireshark runs as a service, the tracingon is paused when a user logs out. So the service needs to be started at startup or when there is no user logged in.)

7. Attempt to connect as assigned user from Web Interface

8. Attempt to telnet to Virtual machine on ports 1494 and 2598 from UK.

9. Log out as assigned user.

10. Log in as an administrative user.

11. Collect the log files.

12. Stop the service.

13. When you have finished and wish to remove the service, run the command:
instsrv wireshark remove

14. Uninstall Wireshark and Winpcap from the virtual desktop.

Click here to read the full article