As a vSphere admin you are sometimes tasked with investigating network issues. You don’t always have VM access so you need to diagnose at the ESXi level. Now as some of you may know quickly gaining insight in VM network traffic by capturing it on the ESXi level is a rather complex task. The tool at your disposal for capturing VM traffic is called pktcap-uw and one of it’s biggest shortcomings is that it doesn’t interpret the packets.
Sometimes all you need at first is basic capture output which tcpdump provides. If the issue doesn’t become apparent from this first analysis you can always save a capture file to disk and use wireshark for further investigation. So what if I tell you there is a way to do this without first saving a capture to disk?
🛈 Update |
Sometimes you gain new insights and you realize there are ways to do things more efficiently. I learned that after creating this post that you can also use stdout/stdin and regular pipes. And looking up switchport IDs can also be done more efficiently. So I adjusted the post accordingly. |
To create a capture of a VM you first need to lookup the correct switch port ID. You can do this by simply typing:
[root@esx01:~] net-stats -l PortNum Type SubType SwitchName MACAddress ClientName 2214592519 4 0 DvsPortset-0 80:ee:73:f0:ab:b5 vmnic1 67108873 3 0 DvsPortset-0 80:ee:73:f0:ab:b5 vmk0 67108874 3 0 DvsPortset-0 00:50:56:69:68:af vmk1 67108875 0 0 DvsPortset-0 02:50:56:56:44:52 vdr-vdrPort 67108876 5 9 DvsPortset-0 00:50:56:95:c5:a9 ubuntu-nas01.local.eth0 67108877 5 0 DvsPortset-0 00:00:00:00:00:00 vcsa01.local - vSphere 7U1-Passive.eth1 67108878 5 0 DvsPortset-0 00:00:00:00:00:00 vcsa01.local - vSphere 7U1-Passive.eth0
This will return all switch port IDs with the corresponding MAC addresses and VM names along with the interface. When you have the switch port ID you want to capture you can now start pktcap-uw.
pktcap-uw --switchport [port id] --capture VnicRx,VnicTx -o - | tcpdump-uw -enr -
Note that the output is send to stdout by using the minus character. Then tcpdump-uw is used to read from stdin. Finally if you want to capture both ingress and egress traffic you need to specify the capture parameter with the VnicRx,VnicTx values.
Now on top of all this you can even use pcap filter expressions to only monitor a specific type of traffic. Like so.
pktcap-uw --switchport [port id] --capture VnicRx,VnicTx -o - | tcpdump-uw -enr - 'host 192.168.1.1'
Happy capturing!
0 Comments