In my previous post I explained how to quickly interpret a network capture on ESXi by using pktcap-uw and tcpdump-uw. This works great to get some information at a glance. But what if you require some further analysis? Well, then Wireshark is probably your tool of choice. Check out the rest of this blog post to learn how to set up remote capturing so you don’t need temporary storage on ESXi for your capture files.

The basic requirements for remote capturing on ESXi are pretty simple. You need a SSH client and you need a copy of Wireshark installed.

Next up you need to find out on which switchport or uplink you want to capture from. In my case I almost exclusively monitor on the switchport level and the easiest way to enumerate which VMs are attached to which ports is net-stats -l

[root@esx01:~] net-stats -l
PortNum          Type SubType SwitchName       MACAddress         ClientName
2214592519          4       0 DvsPortset-0     80:ee:73:f0:ab:b5  vmnic1
67108873            3       0 DvsPortset-0     80:ee:73:f0:ab:b5  vmk0
67108874            3       0 DvsPortset-0     00:50:56:69:68:af  vmk1
67108875            0       0 DvsPortset-0     02:50:56:56:44:52  vdr-vdrPort
67108876            5       9 DvsPortset-0     00:50:56:95:c5:a9  ubuntu-nas01.local.eth0
67108877            5       0 DvsPortset-0     00:00:00:00:00:00  vcsa01.local - vSphere 7U1-Passive.eth1
67108878            5       0 DvsPortset-0     00:00:00:00:00:00  vcsa01.local - vSphere 7U1-Passive.eth0

Now just like in my previous post you can use the port ID to construct the pktcap-uw command you want to execute. However we are not piping the output of this command to tcpdump-uw.

pktcap-uw --switchport [port id] --capture VnicRx,VnicTx -o -

Instead we will use this command as a parameter to your ssh client. In my case I used a windows box, so I used plink to connect to my ESXi server.

plink.exe -batch -ssh -pw [password] root@[hostname] "pktcap-uw --switchport [port id] --capture VnicRx,VnicTx -o -" | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -

This command launches a SSH session to ESXi and execute pktcap-uw which sends it’s output to STDOUT over the SSH session. Which in turn can be piped to Wireshark and have it read from STDIN. What a simple but elegant solution. And although on a Mac or Linux box you’ll use a different SSH client, the syntax stays mostly the same.

Without using a packet filter obviously you receive a lot of data. The fact you no longer have to temporarily store your capture on ESXi makes this less of a problem, but nobody has unlimited storage. If you only capture for a short while this won’t be a problem. But if you want to capture for longer periods pktcap-uw has a myriad of options to filter your capture.

So again….. Happy capturing!

Rudolf Kleijwegt

I am an experienced IT professional with over 20 years of hands-on experience designing, deploying, and maintaining IT infrastructure in both enterprise and service provider environments. My skills span across Linux and Windows and a multitude of server applications, allowing me to excel in a wide range of IT roles. Currently, my primary focus is on Software Defined DataCenter and DevOps. I am passionate about staying up to date with the latest trends in the industry to achieve superior outcomes.


Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *