ESXi: Capture Network packets on a vSwitch port or on a VM’s NIC

Hi,


ESXi offers some extented methods to capture network packets. Here are some examples.

First of all logon to your ESXi host by ssh.

To capture all traffic on a vmkernel interface use tcpdump-uw.
List all vmkernel interfaces


~ # esxcfg-vmknic -l
Interface  
vmk0    .....   
vmk1    .....   


and start tracing at a specific interface with a filter to host 10.254.1.3

~ # tcpdump-uw -i vmk0 host 10.254.1.3

To capture packets on a physical interface you cannot use tcpdump-uw, use pktcap-uw instead.
List all physical nics


~ # esxcfg-nics -l
Name    PCI           Driver      Link Speed    
vmnic0  0000:04:00.00 igb         Up   1000Mbps 
vmnic1  0000:04:00.01 igb         Up   1000Mbps 

And start tracing, the uplink parameter is used to select a nic, the -o parameter write all packets to a file, the –mac parameter works as filter.


~ # pktcap-uw  --uplink  vmnic5 --mac 00:50:56:34:17:b5 -o /tmp/test_lost_connection.cap
The name of the uplink is vmnic5
The session filter mac(src or dst) is00:50:56:34:17:b5
The output file is /tmp/test_lost_connection.cap
No server port specifed, select 11727 as the port
Local CID 2
Listen on port 11727
Accept...Vsock connection from port 1030 cid 2
Dump: 1, broken : 0, drop: 0, file err: 0Destroying session 6

Capture only packets with a VLAN tag 111 and filter on IP Address 10.10.254.200 (src or dst)


~ # pktcap-uw  --uplink  vmnic5 --vlan 111 --ip 10.10.254.200 -o /tmp/test_lost_connection.cap

See


~ #  pktcap-uw --help

for more flow filter options.
It’s also possible to trace at a specific vSwitch port. You need the Portnumber to which, for example, a virtual machine is connected to.


~ # net-stats -l
PortNum          Type SubType SwitchName       MACAddress         ClientName
100663305           5       7 vSwitch4         00:50:56:34:17:b5  ClientVM1
100663306           5       7 vSwitch4         00:50:56:b3:47:b2  ClientVM2

And start tracing


~ # pktcap-uw --switchport 100663305           
The switch port id is 0x06000008
No server port specifed, select 13530 as the port
Output the packet info to console.
Local CID 2
Listen on port 13530
Accept...Vsock connection from port 1031 cid 2

Some useful network commands

List arp cache of an ESXi Host

~ # esxcli network ip neighbor

List networks for all VM’s running on a host

~ # esxcli network vm list
26525310 ClientVM1 1 VLAN_CLIENTS

Details of the vSwitch port of an VM


~ # esxcli network vm port list -w 26525310
   Port ID: 83886099
   vSwitch: vSwitch3
   Portgroup: VLAN_CLIENTS
   DVPort ID:
   MAC Address: 00:50:56:34:17:b5
   IP Address: 0.0.0.0
   Team Uplink: vmnic5
   Uplink Port ID: 83886082
   Active Filters:

To see the IP Address in the port details you have to activate ARP paket inspection

~ # esxcli system settings advanced set -o /Net/GuestIPHack -i 1

Get statistic for a VM port

~ # esxcli network port stats get -p 83886099
Packet statistics for port 83886099
Packets received: 8661
Packets sent: 2177
Bytes received: 747129
Bytes sent: 133151
Broadcast packets received: 4779
Broadcast packets sent: 2135
Multicast packets received: 311
Multicast packets sent: 42
Unicast packets received: 3571
Unicast packets sent: 0
Receive packets dropped: 393
Transmit packets dropped: 0

Michael

Leave a Reply