DICOM and a Citrix NetScaler Load Balancer

asked 2023-08-25 18:23:21 +0000

shortmort37 gravatar image

We have dozens of DICOM modalities that send to a NetScaler, which distributes the inbound Associations among four DICOM routers in front of our VNA. On any given day, for any given modality location, we can experience slowness in the delivery of a radiology exam to the routers.

We have placed Wireshark on each of the four routers - but alas, the source IP is that of the NetScaler, and not the originating IP of the modality. And, we're told the IP of the modality cannot be spoofed to the routers. Consequently, we can't discriminate good traffic, from bad - we can't filter on the source of the troublesome data.

What's puzzling is that the management application on the routers reports the Originating AET of the modality; it's IN the inbound data to the router. But, as far as I know - Wireshark has no provision for filtering on Orig AET. Am I missing something? Is there another way to achieve my objective?

adTHANKSvance, Dan

edit retag flag offensive close merge delete

Comments

(Sample pcap attached to 13164: DICOM dissection error)

Is Originating AET the Calling AE Title? 

DICOM, A-ASSOCIATE request GESHUTTLE --> AE_DCM2PRINTER
    PDU Type: ASSOC Request (0x01)
    PDU Length: 447
    A-ASSOCIATE request GESHUTTLE --> AE_DCM2PRINTER
        Protocol Version: 1
        Called  AE Title: AE_DCM2PRINTER  
        Calling AE Title: GESHUTTLE       
        Application Context: DICOM Application Context Name (1.2.840.10008.3.1.1.1)
        Presentation Context: Basic Grayscale Print Management Meta SOP Class (1.2.840.10008.5.1.1.9)
        Presentation Context: Presentation LUT SOP Class (1.2.840.10008.5.1.1.23)
        Presentation Context: Print Job SOP Class (1.2.840.10008.5.1.1.14)
        User Info: Max PDU Length 64234, Implementation UID 1.2.276.0.69.25.1.1, Version GE_SenoIris_1
Chuckc gravatar imageChuckc ( 2023-08-25 22:59:04 +0000 )edit

Yes, that's correct - the Originating AET is the Calling AET. And I'm sure the AET of interest appears in the log among the dozens of modalities that Associate with each router. But my ask is: How can I filter on transactions related to a specific AET? So that I don't blow out the log (I have) before I have the opportunity to collect sufficient data related to just the AET of interest?

shortmort37 gravatar imageshortmort37 ( 2023-08-27 19:11:10 +0000 )edit

I don't think it's possible with a capture filter.

It might be possible with a ring buffer of capture files to process them in a script, determine the tcp.stream or src/dest port pair, then use that to extract the conversation to a new pcap file.
Would really depend on being able to process the files before the ring buffer wraps and deletes the files.

Chuckc gravatar imageChuckc ( 2023-08-27 23:19:47 +0000 )edit
add a comment