In certain situation, we are not sure when will the issue be reproduced and need to keep the network capture running. If the capture is run directly, it may fill up the dom0 filesystem and can crash the XenServer Host.

Instructions

1. Login into XenServer Host via SSH session through putty

1. On the console, run the following command

#tcpdump -s 0 -tttt -C 50 -W 2 -i <interface name  like eth0> host <x.x.x.x > and port <port no> -w /tmp//$HOSTNAME--$(date +%F-%H-%M-%S).pcap

                                        ^       ^ Sets the number of files to alternate writing over

                               | Sets File size in MB                         

This will continue capturing the network traffic overwriting the files in order until the command is broken out of. In this example it writes to 2 files that will be approximately 50 MB each for a total of 100MB at any given time. This will ensure that we have the network capture for the last 100 MB of packet and we don't fill up the filesystem more than 100 MB. We can adjust these values according to our needs

1. Once the issue is reproduced, we can stop the capture pressing Ctrl+c

http://support.citrix.com/article/CTX120869