02-01-2017 08:42 AM - edited 03-12-2019 10:25 AM
Important notes:
Command: net-stats –l
Command: pktcap-uw --vmk vmk0 -o /tmp/CAPTURE.pcap
Command: pktcap-uw --uplink vmnic3 -o /tmp/CAPTURE.pcap
Command: pktcap-uw --switchport <switchportnumber> -o /tmp/CAPTURE.pcap
At this point you should have been able to download the capture to your SFTP:
It’s very important to remember that this feature only captures traffic one way. Up until this point we have been capturing traffic in the default inbound direction. To Capture packets on the outbound direction:
Command: --dir 1
pktcap-uw --vmk vmk0 --dir 1 -o /tmp/CAPTURE.pcap
pktcap-uw --uplink vmnic3 --dir 1 -o /tmp/CAPTURE.pcap
pktcap-uw --switchport 50331657 --dir 1 -o /tmp/CAPTURE.pcap
http://www.virten.net/2015/10/esxi-network-troubleshooting-with-tcpdump-uw-and-pktcap-uw/
If you want to do bi-directional captures using pktcap-uw then you can do the following command:
pktcap-uw --switchport 33554495 --dir 0 -o /tmp/33554495_in.pcap & \
pktcap-uw --switchport 33554495 --dir 1 -o /tmp/33554495_out.pcap &
You can also do this in one line if you remove the "\" and return:
pktcap-uw --vmk vmk0 --dir 0 -o /tmp/vmk0_in.pcap & pktcap-uw --vmk vmk0 --dir 1 -o /tmp/vmk0_out.pcap &
Important note: Because "&" cause the process to be run in the background you'll need to
manually kill the process after starting it. The easiest way to do this is to kill all instances of pktcap-uw:
kill $(lsof |grep pktcap-uw |awk '{print $1}'| sort -u)
You can verify all pcaps are ended by running the following command:
lsof |grep pktcap-uw |awk '{print $1}'| sort -u
References:
http://networkgeekstuff.com/networking/minipost-capturing-bidirectional-traffic-of-virtual-machine-vms-on-vmware-esx-6-x-host/
https://kb.vmware.com/s/article/2051814
Great article. +5
This helped me isolate a SIP issues coming from a CUCM VM. I will add SSH can be enabled from Vsphere under the Configuration -> Software pane -> Security Profile -> Properties -SSH -> start SSH
These captures just got so much easier as of ESXi 6.7 because they finally added --dir 2 which finally allows for both inbound and outbound captures within the same file!
Using the example above for ESXi 6.5 and earlier we can see this is now reduced to the following command in ESXi 6.7+
pktcap-uw --switchport 33554495 --dir 2 -o /tmp/33554495_InandOut.pcap
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: