Fast packet interpretation on ESXi using pktcap-uw and named pipes

Published by Rudolf Kleijwegt on

As a vSphere admin you are sometimes tasked with investigating network issues. You don’t always have VM access so you need to diagnose at the ESXi level. Now as some of you may know quickly gaining insight in VM network traffic by capturing it on the ESXi level is a rather complex task. The tool at your disposal for capturing VM traffic is called pktcap-uw and one of it’s biggest shortcomings is that it doesn’t interpret the packets.

Sometimes all you need at first is basic capture output which tcpdump provides. If the issue doesn’t become apparent from this first analysis you can always save a capture file to disk and use wireshark for further investigation. So what if I tell you there is a way to do this without first saving a capture to disk?

If you are an experienced unix/linux engineer you may be familiar with the concept of named pipes. This provides you with a way to create a special file on your filesystem that can be used by multiple processes for reading or writing. ESXi is capable of using named pipes by using FIFO.

To create a named pipe you type the following command:

mkfifo /tmp/tcpdump.cap

Next up find the port ID of the VM you want to capture. For this you start by finding the VM world ID.

esxcli network vm list

Now use the world ID as a parameter to find the VM port ID

esxcli network vm port list -w [world id]

If the VM has multiple network interfaces make sure you check the mac address to make sure you select the right port ID. Now you can start using the named pipe by using pktcap-uw and have it send it’s output to the pipe with the -o flag.

pktcap-uw --switchport [port id] -o /tmp/tcpdump.cap &

Make sure to include the ampersand character so the command is executed in the background.

Now start tcpdump-uw to read the named pipe file and have the basic interpreted information about your captured network traffic.

tcpdump-uw -r /tmp/tcpdump.cap

One downside of using tcpdump with the -r flag is you can’t use any filters. So you need to do this at the pktcap-uw level. Thankfully as described in an earlier blog post pktcap-uw now supports pcap filters.

Finally if you want to kill the pktcap-uw process, you can use this one-liner.

kill $(lsof |grep pktcap-uw | awk '{print $1}'| sort -u)

Happy capturing!

More posts on our blog...

Categories: ESXiTroubleshootingVMwarevSphere
Tags:

Rudolf Kleijwegt

I am an experienced IT professional with over 20 years of hands-on experience designing, deploying, and maintaining IT infrastructure in both enterprise and service provider environments. My skills span across Linux and Windows and a multitude of server applications, allowing me to excel in a wide range of IT roles. Currently, my primary focus is on Software Defined DataCenter and DevOps. I am passionate about staying up to date with the latest trends in the industry to achieve superior outcomes.

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

NSX

NSX-T Tier 1 GW not connected to Edge Nodes

Introduction Recently I have been upgrading one of my test environments from NSX 3.1.2 to 3.2.1 and have come across a couple of issues. This time it seems like there is one Tier 1 GW Read more…

NSX

NSX-T Edge upgrade failed because of 1G huge page support

Introduction Recently I have been upgrading one of my test NSX-T labs. In this particular lab environment the scenario was upgrading NSX-T 3.1.2.1.0 to 3.2.3.1.0. NSX-T environments are upgraded in phases and the first (actually Read more…

NSX

Refresh NSX-T site information

Recently I upgraded a NSX-T multisite deployment. Unfortunately following the upgrade on one of the local sites it failed to display that site's status on the system overview page.