Capture Network packets on ESXi from a vSwitch port, vmkernel or physical interface

Hi,

ESXi offers some extented methods to capture network packets. Here are some examples.

First of all logon to your ESXi host by ssh.

To capture all traffic on a vmkernel interface use tcpdump-uw.
List all vmkernel interfaces


~ # esxcfg-vmknic -l
Interface  
vmk0    .....   
vmk1    .....

and start tracing at a specific interface with a filter to host 10.254.1.3
~ # tcpdump-uw -i vmk0 host 10.254.1.3
To capture packets on a physical interface you cannot use tcpdump-uw, use pktcap-uw instead.
List all physical nics


~ # esxcfg-nics -l
Name    PCI           Driver      Link Speed    
vmnic0  0000:04:00.00 igb         Up   1000Mbps 
vmnic1  0000:04:00.01 igb         Up   1000Mbps

And start tracing, the uplink parameter is used to select a nic, the -o parameter write all packets to a file, the –mac parameter works as filter.


~ # pktcap-uw  --uplink  vmnic5 --mac 00:50:56:34:17:b5 -o /tmp/test_lost_connection.cap
The name of the uplink is vmnic5
The session filter mac(src or dst) is00:50:56:34:17:b5
The output file is /tmp/test_lost_connection.cap
No server port specifed, select 11727 as the port
Local CID 2
Listen on port 11727
Accept...Vsock connection from port 1030 cid 2
Dump: 1, broken : 0, drop: 0, file err: 0Destroying session 6

Capture only packets with a VLAN tag 111 and filter on IP Address 10.10.254.200 (src or dst)


~ # pktcap-uw  --uplink  vmnic5 --vlan 111 --ip 10.10.254.200 -o /tmp/test_lost_connection.cap

See


~ #  pktcap-uw --help

for more flow filter options.
It’s also possible to trace at a specific vSwitch port. You need the Portnumber to which, for example, a virtual machine is connected to.


~ # net-stats -l
PortNum          Type SubType SwitchName       MACAddress         ClientName
100663305           5       7 vSwitch4         00:50:56:34:17:b5  ClientVM1
100663306           5       7 vSwitch4         00:50:56:b3:47:b2  ClientVM2

And start tracing


~ # pktcap-uw --switchport 100663305           
The switch port id is 0x06000008
No server port specifed, select 13530 as the port
Output the packet info to console.
Local CID 2
Listen on port 13530
Accept...Vsock connection from port 1031 cid 2

Some useful network commands

List arp cache of an ESXi Host
~ # esxcli network ip neighbor

List networks for all VM’s running on a host
~ # esxcli network vm list 26525310 ClientVM1 1 VLAN_CLIENTS

Details of the vSwitch port of an VM


~ # esxcli network vm port list -w 26525310
   Port ID: 83886099
   vSwitch: vSwitch3
   Portgroup: VLAN_CLIENTS
   DVPort ID:
   MAC Address: 00:50:56:34:17:b5
   IP Address: 0.0.0.0
   Team Uplink: vmnic5
   Uplink Port ID: 83886082
   Active Filters:

To see the IP Address in the port details you have to activate ARP paket inspection
~ # esxcli system settings advanced set -o /Net/GuestIPHack -i 1
Get statistic for a VM port
~ # esxcli network port stats get -p 83886099 Packet statistics for port 83886099 Packets received: 8661 Packets sent: 2177 Bytes received: 747129 Bytes sent: 133151 Broadcast packets received: 4779 Broadcast packets sent: 2135 Multicast packets received: 311 Multicast packets sent: 42 Unicast packets received: 3571 Unicast packets sent: 0 Receive packets dropped: 393 Transmit packets dropped: 0

Michael

Michls Tech Blog

ESXi: Capture Network packets on a vSwitch port or on a VM’s NIC

Leave a Reply Cancel reply

My Knowledgebase for things about Linux, Windows, VMware, Electronic and so on…