Packet Capture – ZCC & ZPA
Overview
When troubleshooting a Zscaler connectivity issue, captures are required from two sides simultaneously:
| Side | Tool | Purpose |
|---|---|---|
| Endpoint | Zscaler Client Connector (ZCC) | Capture traffic leaving the user device |
| ZPA App Connector | tcpdump via SSH | Capture traffic arriving at the backend |
Capturing both sides allows you to confirm where a session is failing — client, tunnel, or application server.
Part 1 — Endpoint (ZCC)
Perform these steps on the user’s machine running Zscaler Client Connector.
Steps
1. Open ZCC
Launch the Zscaler Client Connector from the system tray or applications menu.
2. Clear Existing Logs
More→Clear Logs
Clears previous logs so the export only contains data relevant to this session.
3. Start Packet Capture
More→Start Packet Capture
ZCC begins capturing tunnel and connection traffic on the endpoint.
4. Reproduce the Issue
Have the user attempt the failing action — open the application, browse the URL, or trigger the connection that is failing.
5. Stop Packet Capture at Point of Failure
As soon as the failure occurs, immediately stop the capture to avoid overwriting relevant data.
More→Stop Packet Capture
6. Export Logs
More→Export Logs
Save the exported log bundle. This includes the packet capture file along with ZCC diagnostic logs.
Part 2 — ZPA App Connector
Perform these steps on the App Connector serving the affected application.
Pre-requisites
- Identify which App Connectors are assigned to the application in the ZPA Admin Portal
- Confirm which App Connector is enabled and active
- Have SSH access ready to the App Connector host
Steps
1. Identify the App Connectors
In the ZPA Admin Portal:
- Navigate to Infrastructure → App Connectors
- Identify the connectors associated with the affected application segment
- Note the connector that is currently enabled
2. SSH to the App Connector
ssh admin@<app-connector-ip>3. Start tcpdump
Run the following command, replacing the placeholders with the actual interface name and internal server IP:
tcpdump -i <interface-name> -s 0 host <internal-server-ip> -w pcapfilename.pcap| Parameter | Description |
|---|---|
-i <interface-name> | Network interface to capture on (e.g. eth0) |
-s 0 | Capture full packet (no truncation) |
host <internal-server-ip> | Filter to only capture traffic to/from the target server |
-w pcapfilename.pcap | Write output to a .pcap file |
Tip: Run
ip linkorifconfigto find the correct interface name before starting the capture.
4. Have the Application Team Launch the Session
Coordinate with the application or end-user team to attempt the connection while tcpdump is actively running.
5. Reproduce the Issue
Allow the failure to occur with the capture running. Do not stop the capture prematurely.
6. Stop tcpdump
Press Ctrl + C to stop the capture once the failure has been reproduced.
7. Export the PCAP
Copy the .pcap file off the App Connector for analysis:
scp admin@<app-connector-ip>:~/pcapfilename.pcap ./Open with Wireshark to analyse connection attempts, resets, timeouts, or TLS errors.
Quick Reference Summary
Endpoint (ZCC)
1. Open ZCC
2. More → Clear Logs
3. More → Start Packet Capture
4. Reproduce the issue
5. More → Stop Packet Capture (at point of failure)
6. More → Export LogsZPA App Connector
1. Identify active App Connector in ZPA Admin Portal
2. SSH to App Connector
3. tcpdump -i <interface> -s 0 host <server-ip> -w pcapfilename.pcap
4. Coordinate with app team to launch the session
5. Reproduce the issue
6. Ctrl+C to stop tcpdump
7. SCP the .pcap file for analysis