Decoding Netskope Client POP selection , Basic traffic flow and troubleshooting logs.

  • 27 October 2022
  • 1 reply

Userlevel 3
Badge +12

Hi Folks,


I am sharing my modest knowledge with the Netskope community. I hope this helps a few of you on understanding the basic Netskope traffic flow and log analysis.


POP Selection


Versions prior to 96.1 :


1. The Netskope Client uses DNS over HTTPS ( to resolve the Netskope gateway's IP address (gateway-tenant

2. If DNS over HTTPS is unsuccessful, the client will fail over to the LDNS technique (UDP 53) to resolve the IP address for gateway-tenant


Version starting with 96.1:


There is no longer a requirement to resolve NS Gateway domains using the Google DNS service ( The GSLB services deliver a POP list based on the client IP address while performing a REST API request to 


Note: GSLB option will be only available when the backend tenant flag is activated.


Basic Traffic flow


Let’s take an example of the SaaS Application!


  1. Browser issued a DNS request to the SaaS domain
  2. The browser receives the DNS response, Netskope ST Agent driver captures the response and creates a domain to IP Mapping, i.e. –
  3. The browser starts sending TCP SYN ( 3 Way handshake ) Packet to SaaS server
  4. ST Agent driver captures the TCP SYN Packet and indicates it to Netskope ST Agent services.

  5. The ST Agent service has established an SSL tunnel with the Netskope gateway. Through this SSL tunnel, the TCP packets are tunneled or steered.
  6.  The Netskope gateway will receive the TCP SYN+ACK response from the SaaS Server and forward it to the ST Agent service using the established tunnel.
  7.  The ST driver will receive the packets from the ST Agent service.
  8.  The system stack will receive the packets from the ST Agent driver, and the browser will display the outcome......


Note: Only the Advanced debugging packet capture option on the NS client can see ST Agent Driver-level PCAP. Wireshark Packet capture on a normal adapter will only show the encrypted packets with the destination IP  as Netskope gateway.


Troubleshooting Logs


Log into the endpoint. Right-click the Netskope icon in the System Tray and then click Save Logs.




To verify any service-related error or logs 

To verify the POP selection logs.

To confirm whether the traffic is directed through Netskope or not.


POP selecting using EDNS


2019/10/17 09:47:59.527 stAgentSvc p1334 t4c4c 4 tunnel.cpp:694 nsTunnel TLS Connecting to 2019/10/17 09:47:59.676 stAgentSvc p1334 t4c4c 4 restapi.cpp:80 restapi SSL resolve EDNS downloaded successfully 2019/10/17 09:47:59.679 stAgentSvc p1334 t4c4c 4 nsDnsResolver.cpp:179 dnsResolver Hostname resolved by EDNS 2019/10/17 09:47:59.680 stAgentSvc p1334 t4c4c 4 nsssl.cpp:1217 nsssl TLS remote host resolved to, port 443 2019/10/17 09:48:01.728 stAgentSvc p1334 t4c4c 4 tunnel.cpp:729 nsTunnel TLS SSL connected to the server: successfully


POP selecting using LDNS 


2019/10/14 11:40:49.864 stAgentSvc p1244 t2980 2 nsHTTPClient.cpp:372 downloader curl_easy_perform failed, code 28, error Timeout was reached 2019/10/14 11:40:49.866 stAgentSvc p1244 t2980 2 restapi.cpp:75 restapi Failed to download SSL resolve EDNS, Error: -2 2019/10/14 11:40:49.871 stAgentSvc p1244 t2980 2 nsDnsResolver.cpp:204 dnsResolver Failed to resolve by EDNS 2019/10/14 11:40:49.874 stAgentSvc p1244 t2980 4 nsDnsResolver.cpp:47 dnsResolver Hostname resolved by LDNS 2019/10/14 11:40:49.875 stAgentSvc p1244 t2980 4 nsssl.cpp:1217 nsssl DTLS remote host resolved to, port 443


eg: Traffic steered through Netskope


2019/10/18 20:28:21.148 stAgentSvc pfbc t296c 4 tunnel.cpp:618 nsTunnel TLS [sessId 1] Tunneling flow from addr:, process: chrome.exe to host: www. box .com, addr:


eg: Traffic bypassed from Netskope


2018/10/10 13:17:58.272225 stAgentSvc pf280 t4807 4 bypassAppMgr.cpp:371 BypassAppMgr bypassing flow to
exception host:, process:




List of certificate pinned Applications on steered configuration.




The list of IP and domain-based exceptions configured on the Steering configuration


Windows Tenant Config location : “%PROGRAMDATA%/netskopestagent
MAC Tenant Config location : /Library/Application/Support/Netskope/STAgent

Windows user Config location : %APPDATA%/netskopestagent
MAC user Config location : <Home Directory>/Library/Application Support/Netskope/STAgent


Thank you 🙂 


1 reply

Badge +12

Thanks for sharing @Zulkifal