Netskope Client Command Reference

Netskope Client Command Reference

This section lists the various nsdiag commands used in the installation of the Netskope Client.

Diagnostics Commands (Windows, macOS, and Linux)

The diagnostics command is available using the nsdiag command in Microsoft Windows, macOS, and Linux devices. The command is located in the Client installation directory:

  • In Windows: C:\Program Files (x86)\Netskope\stagent

    Example: C:\Program Files (x86)\netskope\stagent\nsdiag -n

  • In macOS: /Library/Application Support/Netskope/STAgent/

    Example: $ /Library/Application\ Support/Netskope/STAgent/nsdiag -n

  • In Linux: /opt/netskope/stagent/

    Example:  /opt/netskope/stagent/nsdiag -n

Command example: nsdiag [options]

Command options are case-sensitive.
    nsdiag -o <file>.zip
    nsdiag -c start [-o <filename>.pcap] [-s <snap length>]
    nsdiag -c stop
    nsdiag -p start [-o <filename>.etl] [-s <file size>]
    nsdiag -p stop
    nsdiag -d start [-o <filename>.etl]
    nsdiag -d stop
    nsdiag -u 
    nsdiag -g upload -s [1mb | 10mb | 100mb]
    nsdiag -r <URL> 
    nsdiag -g download -s [1mb | 10mb | 100mb]
    nsdiag -l [dump | debug | info | warning | error | critical]
    nsdiag -m 
    nsdiag -n 
    nsdiag -x <regular expression> <string to match>
    nsdiag [-h | -v]

If Secure Enrollment tokens are enabled, use the following command. For IDP enrollments, the token need not be present on the end-user machine as the user is authenticated using IdP.

nsdiag -e enrollauthtoken=<token> enrollencryptiontoken=<token>
  • There are minor differences in the commands displayed for Mac and Linux. For example,
    • The command to capture the outer packet: nsdiag -p start [-o <filename>.pcap] [-s <file size>]
    • The command to start capturing driver logs: nsdiag -d start [-o <filename>.log]
Command OptionDescription
-o <file>.zipSave logs and diagnostics to output <file>.zip.
-c start [-o <filename>.pcap] [-s ]Start capturing inner packet dump to <filename>.pcap.
-p start [-o <filename>.etl] [-s <file size>]Start capturing outer packet dump to <filename>.etl.
-d start [-o <filename>.etl]Start capturing driver logs in <filename>.etl.
-o <filename>.<extension>In Windows
Output will be created in default directory "C:/ProgramData/Netskope/stagent/Logs"
  • If filename is not specified then default filename will be used

  • Filename should NOT be a path as output will always be created in default directory


In macOS
Output will be created in default directory "/Library/Logs/Netskope"
  • If filename is not specified then default filename will be used

  • Filename should NOT be a path as output will always be created in default directory


In Linux
Output will be created in default directory "/opt/netskope/stagent/logs"
  • If filename is not specified then default filename will be used

  • Filename should NOT be a path as output will always be created in default directory



-s <snap length>If snap length is not specified, entire packet will be captured.
-m <file size>File size(in MB's) must be less than 1024 and non zero. For example, nsdiag -m 2
The default size is 10 MB, using this command you can specify the log file size upto 1 GB.

Usage: nsdiag -m

Example: nsdiag -m 10

This will change the nsdebug.log file to 10 MB.
-c stopStop capturing inner packet dump.
-p stopStop capturing outer packet dump.
-d stopStop capturing driver logs.
-uUpdate configuration
-hShow this help.
-vShow Netskope Client version.
-rShow time values of website access.
For example,
./nsdiag -r www.google.com

NameLookupTime: 0.1
ConnectTime: 0.2
AppConnectTime: 0.0
PretransferTime: 0.2
StarttransferTime: 0.7
TotalTime: 0.9
RedirectTime: 0.0
DownloadSpeed: 19669 bytes/sec
-g download -s [1mb | 10mb | 100mb]Perform Speed Test operation, supports [upload | download] operation.

Supported file sizes are 1mb, 10mb, 100mb and should be provided by -s. File size is mandatory.
-g uploadPerforms upload Speed Test for specified size.

Supported payload size are 1mb, 10mb, 100mb and to be used with the -s option. File size is mandatory.

Upload test example: nsdiag -g upload -s 10mb.
-g downloadPerforms download Speed Test for specified size.

Download test example: nsdiag -g download -s 10mb
-l [dump | debug | info | warning | error | critical]Set the Netskope client log level.
-nGet NPA status.
Example: $/Library/Application\ Support/Netskope/STAgent/nsdiag -n

NPA status is Connected.
-xTest if string will match regular expression.
-fUse this command to display the client details such as client status, tunnel status, Gateway, On-PremStatus, Gateway IP, Tunnel Protocol, Explicit Proxy.


>.\nsdiag.exe -f
Orgname:: Netskope Corp.
Config:: Default tenant config.
Steering Config:: All Users.
Email:: xxxx@xxxxxx.com.
Peruser config:: FALSE.
Tunnel status:: NSTUNNEL_CONNECTED.
Client status:: enable.
Gateway:: gateway-maa1.goskope.com.
Dynamic Steering:: FALSE.
OnPremDetection:: Not Configured.
Explicit Proxy:: false.
Gateway IP:: 198.168.1.1
Tunnel Protocol:: DTLS.
SNI Enable:: FALSE.
Traffic Mode:: All Traffic.
--check-dcCheck device classification and send current status immediately to the backend.
Share this Doc

Netskope Client Command Reference

Or copy link

In this topic ...