In my previous post I explained how to quickly interpret a network capture on ESXi by using pktcap-uw and tcpdump-uw. This works great to get some information at a glance. But what if you require some further analysis? Well, then Wireshark is probably your tool of choice. Check out the rest of this blog post to learn how to set up remote capturing so you don’t need temporary storage on ESXi for your capture files.
The basic requirements for remote capturing on ESXi are pretty simple. You need a SSH client and you need a copy of Wireshark installed.
Next up you need to find out on which switchport or uplink you want to capture from. In my case I almost exclusively monitor on the switchport level and the easiest way to enumerate which VMs are attached to which ports is net-stats -l
[root@esx01:~] net-stats -l PortNum Type SubType SwitchName MACAddress ClientName 2214592519 4 0 DvsPortset-0 80:ee:73:f0:ab:b5 vmnic1 67108873 3 0 DvsPortset-0 80:ee:73:f0:ab:b5 vmk0 67108874 3 0 DvsPortset-0 00:50:56:69:68:af vmk1 67108875 0 0 DvsPortset-0 02:50:56:56:44:52 vdr-vdrPort 67108876 5 9 DvsPortset-0 00:50:56:95:c5:a9 ubuntu-nas01.local.eth0 67108877 5 0 DvsPortset-0 00:00:00:00:00:00 vcsa01.local - vSphere 7U1-Passive.eth1 67108878 5 0 DvsPortset-0 00:00:00:00:00:00 vcsa01.local - vSphere 7U1-Passive.eth0
Now just like in my previous post you can use the port ID to construct the pktcap-uw command you want to execute. However we are not piping the output of this command to tcpdump-uw.
pktcap-uw --switchport [port id] --capture VnicRx,VnicTx -o -
Instead we will use this command as a parameter to your ssh client. In my case I used a windows box, so I used plink to connect to my ESXi server.
plink.exe -batch -ssh -pw [password] root@[hostname] "pktcap-uw --switchport [port id] --capture VnicRx,VnicTx -o -" | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -
This command launches a SSH session to ESXi and execute pktcap-uw which sends it’s output to STDOUT over the SSH session. Which in turn can be piped to Wireshark and have it read from STDIN. What a simple but elegant solution. And although on a Mac or Linux box you’ll use a different SSH client, the syntax stays mostly the same.
Without using a packet filter obviously you receive a lot of data. The fact you no longer have to temporarily store your capture on ESXi makes this less of a problem, but nobody has unlimited storage. If you only capture for a short while this won’t be a problem. But if you want to capture for longer periods pktcap-uw has a myriad of options to filter your capture.
So again….. Happy capturing!