When running a traffic capture (TCPdump), a virtual service must first be selected.

Virtual services can exist on a single SE or be scaled out across multiple active SEs. Traffic captures will automatically be run on all SEs actively handling traffic for the virtual service. Once the captures are complete, the SEs forward their pcap files to the Controller, which aggregates and sorts the data into a single file.

To view traffic flowing through a single SE for a scaled-out virtual service, add a filter to the pcap viewer with the desired SE’s IP address on the server side of the connection.

Taking traffic capture for a virtual service in VMware cloud

TCPdump option is available in NSX Advanced Load Balancer to capture traffic for virtual services as part of troubleshooting. The packet capture is done on all SEs hosting the virtual service and collated into the completed capture. In a VMware environment, a TCPdump on the vNIC of the SE for the virtual service cannot be run when DPDK is enabled by default.

When DPDK is enabled, all the virtual service packets destined to and from the SE will be in the user-space driver. An application like TCPdump picks packets from the kernel interface queues. The best way to capture the packets on the SE in a VMware cloud is to enable the traffic capture on the NSX Advanced Load Balancer Controller.