As a vSphere admin you are sometimes tasked with investigating network issues. You don’t always have VM access so you need to diagnose at the ESXi level. Now as some of you may know quickly gaining insight in VM network traffic by capturing it on the ESXi level is a rather complex task. The tool at your disposal for capturing VM traffic is called pktcap-uw and one of it’s biggest shortcomings is that it doesn’t interpret the packets.

Sometimes all you need at first is basic capture output which tcpdump provides. If the issue doesn’t become apparent from this first analysis you can always save a capture file to disk and use wireshark for further investigation. So what if I tell you there is a way to do this without first saving a capture to disk?

🛈 Update
Sometimes you gain new insights and you realize there are ways to do things more efficiently. I learned that after creating this post that you can also use stdout/stdin and regular pipes. And looking up switchport IDs can also be done more efficiently. So I adjusted the post accordingly.

To create a capture of a VM you first need to lookup the correct switch port ID. You can do this by simply typing:

[root@esx01:~] net-stats -l
PortNum          Type SubType SwitchName       MACAddress         ClientName
2214592519          4       0 DvsPortset-0     80:ee:73:f0:ab:b5  vmnic1
67108873            3       0 DvsPortset-0     80:ee:73:f0:ab:b5  vmk0
67108874            3       0 DvsPortset-0     00:50:56:69:68:af  vmk1
67108875            0       0 DvsPortset-0     02:50:56:56:44:52  vdr-vdrPort
67108876            5       9 DvsPortset-0     00:50:56:95:c5:a9  ubuntu-nas01.local.eth0
67108877            5       0 DvsPortset-0     00:00:00:00:00:00  vcsa01.local - vSphere 7U1-Passive.eth1
67108878            5       0 DvsPortset-0     00:00:00:00:00:00  vcsa01.local - vSphere 7U1-Passive.eth0

This will return all switch port IDs with the corresponding MAC addresses and VM names along with the interface. When you have the switch port ID you want to capture you can now start pktcap-uw.

pktcap-uw --switchport [port id] --capture VnicRx,VnicTx -o - |  tcpdump-uw -enr -

Note that the output is send to stdout by using the minus character. Then tcpdump-uw is used to read from stdin. Finally if you want to capture both ingress and egress traffic you need to specify the capture parameter with the VnicRx,VnicTx values.

Now on top of all this you can even use pcap filter expressions to only monitor a specific type of traffic. Like so.

pktcap-uw --switchport [port id] --capture VnicRx,VnicTx -o - | tcpdump-uw -enr - 'host'

Happy capturing!

Rudolf Kleijwegt

I am an experienced IT professional with over 20 years of hands-on experience designing, deploying, and maintaining IT infrastructure in both enterprise and service provider environments. My skills span across Linux and Windows and a multitude of server applications, allowing me to excel in a wide range of IT roles. Currently, my primary focus is on Software Defined DataCenter and DevOps. I am passionate about staying up to date with the latest trends in the industry to achieve superior outcomes.


Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *