How To Capture Network Traffic/Packet on ESXi Hosts

Capturing Networking Traffic is very important task when you run into Connectivity or network issues. We all are good at capturing network traffic in Guest OS level. What if you do when troubleshooting connectivity issues on your Virtulization enviornment. This post will help you to capture Network traffic on ESXi host using pktcap-uw tool.

The pktcap-uw tool is an enhanced packet capture and analysis tool that can be used in place of the legacy tcpdump-uw tool. The pktcap-uw tool is included by default in ESXi 5.5. This article provides information on using the pktcap-uw tool for packet capture and analysis.The tcpdump-uw tool can only capture packets/frames at the vmkernel interface level and cannot capture frames at the uplinks, or vSwitch, or virtual port levels. The new pktcap-uw tool allows traffic to be captured at all points within the hypervisor for greater flexibility and improved troubleshooting. It provides more options to capture the packets. Lets take a look how to use pktcap-uw tool to capture the network traffic.

Get help and Syntax information:

pktcap-uw -h |more

To View the live Capture of VMKernel Interface Traffic

pktcap-uw –vmk vmk0

Capture Network Trafic in ESXi -1

Save the Capture to a output file:

To capture the output to a file, use -o option:

pktcap-uw –vmk vmk0 -o /tmp/vmk0capture.pcap

Capture Network Trafic in ESXi -2

To limit the data being captured

you can limit the data being captured using the ‘-c’ option, which allows you to specify the number of packets you wish to capture

pktcap-uw –vmk vmk0 -c 1

Capture Network Trafic in ESXi -5

Capture Traffic of a specific physical network card(vmnic) on ESXi Host:

pktcap-uw –uplink vmnic0

Capture traffic from a virtual switchport on a dvSwitch:

pktcap-uw –switchport switchportnumber

Ex, pktcap-uw –switchport 33554433

To get the Switch port ID

esxtop -> Press n -> PORT-ID

Capture Network Trafic in ESXi -3

To Capture packets for multiple points simultaneously

Capture Packets of  both Switch port and physical adapter at same time using the below command

pktcap-uw –switchport 33554433 -o /tmp/33554433.pcap & pktcap-uw –uplink vmnic0 -o /tmp/vmnic0.pcap &

Capture Network Trafic in ESXi -4

Stop pktcap-uw tracing with the kill command:

kill $(lsof |grep pktcap-uw |awk ‘{print $1}’| sort -u)

 To check that all pktcap-uw traces are stopped:

lsof |grep pktcap-uw |awk ‘{print $1}’| sort -u

Captured packets can be viewed in Sniffer tools such as Wireshark.

pktcap-uwI hope this post is informative for you. Thanks For Reading!!!. Be Social and share it in social media, if you feel worth sharing it.