Capture Network Traffic for ESXi host using TCPDUMP

Posted by on in , | 8837 Views
This post explains you to capture the network traces of ESXi host using tcpdump utility.In most case during network issues or troubleshooting purposes, It might be useful to perform a tcpdump on the ESXi host. tcpdump-uw command is based on standard tcpdump utility. tcpdump command captures the network traces from the network interface perspective.

You may need decide first in which network interface you need to capture the network traces of ESXi host. Identify the list of VMkernel network adapters using the below command

esxcfg-vmknic -l

Capture default first 68 bytes using tcpdump

tcpdump-uw command with -i option  can be used to display the packets on the VMkernel interface. Let’s choose vmk1 for our example.

tcpdump-uw -i vmk1


Capture entire packet using tcpdump

tcpdump and tcpdump-uw command capture only the first 68 bytes of data from a packet by default. To capture the entire packet, tcpdump-uw need to be used with -s option.
Value of 1514 for normal traffic

tcpdump-uw -i vmk1 -s 1514
Value of 9014 if jumbo frames are enabled.
tcpdump-uw -i vmk1 -s 9014 -B 9

Capture packets with filters using tcpdump

 TCP switch with tcpdump-uw command can be used to display only the TCP packtes on VMk1
tcpdump-uw -i vmk1 -s 1514 tcp
Host option can be used with tcpdump-uw command to see traffic to/from only a single IP address
tcpdump-uw -i vmk1 -s 1514 host 192.168.0.20

Capture packets with verbose option

-vvv option can be used with tcpdump-uw command to display all packets on the vmk1 with verbose detail

tcpdump-uw -i vmk1 -s 1514 -vvv



Save the tcpdump inpcap format for later analysis

Output of the  tcpdump command can be saved in Pcap format and it can be used later with wireshark to analyse. Save the output with filename.pcap
tcpdump-uw -i vmk1 -s 1514 -w esxihost1.pcap

Limiting the log files using tcpdump

You can limit the log files to a specific number during the tcpdump capture using -W option.
tcpdump-uw -i vmk1 -s 1514 -C 50M -W 5 -w /var/esxihost1-capture.pcap

Above command creates 5 trace files of size 5MB each. This settings helps you to avoid run out of space on ESXi host due to packet capture.
I believe this is informative for you. Thanks for reading!!!