As a vSphere admin you are sometimes tasked with investigating network issues. You don’t always have VM access so you need to diagnose at the ESXi level. Now as some of you may know quickly gaining insight in VM network traffic by capturing it on the ESXi level is a rather complex task. The tool at your disposal for capturing VM traffic is called pktcap-uw and one of it’s biggest shortcomings is that it doesn’t interpret the packets.

Sometimes all you need at first is basic capture output which tcpdump provides. If the issue doesn’t become apparent from this first analysis you can always save a capture file to disk and use wireshark for further investigation. So what if I tell you there is a way to do this without first saving a capture to disk?

If you are an experienced unix/linux engineer you may be familiar with the concept of named pipes. This provides you with a way to create a special file on your filesystem that can be used by multiple processes for reading or writing. ESXi is capable of using named pipes by using FIFO.

To create a named pipe you type the following command:

mkfifo /tmp/tcpdump.cap

Next up find the port ID of the VM you want to capture. For this you start by finding the VM world ID.

esxcli network vm list

Now use the world ID as a parameter to find the VM port ID

esxcli network vm port list -w [world id]

If the VM has multiple network interfaces make sure you check the mac address to make sure you select the right port ID. Now you can start using the named pipe by using pktcap-uw and have it send it’s output to the pipe with the -o flag.

pktcap-uw --switchport [port id] -o /tmp/tcpdump.cap &

Make sure to include the ampersand character so the command is executed in the background.

Now start tcpdump-uw to read the named pipe file and have the basic interpreted information about your captured network traffic.

tcpdump-uw -r /tmp/tcpdump.cap

One downside of using tcpdump with the -r flag is you can’t use any filters. So you need to do this at the pktcap-uw level. Thankfully as described in an earlier blog post pktcap-uw now supports pcap filters.

Finally if you want to kill the pktcap-uw process, you can use this one-liner.

kill $(lsof |grep pktcap-uw | awk '{print $1}'| sort -u)

Happy capturing!

Rudolf Kleijwegt

I am an experienced IT professional with over 20 years of hands-on experience designing, deploying, and maintaining IT infrastructure in both enterprise and service provider environments. My skills span across Linux and Windows and a multitude of server applications, allowing me to excel in a wide range of IT roles. Currently, my primary focus is on Software Defined DataCenter and DevOps. I am passionate about staying up to date with the latest trends in the industry to achieve superior outcomes.


Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *