Use the pktcap-uw utility to trace the path that packets traverse in the network stack for latency analysis and for locating the point where a packet is corrupted or dropped.

About this task

The pktcap-uw utility shows the path of packets together with timestamps that note the time when a packet is handled by a networking function on ESXi. The utility reports the path of a packet immediately before it is released from the stack.

To view the full path information for a packet, you must print the result from the pktcap-uw utility in the console output or save it to a PCAPNG file.

Procedure

  1. In the ESXi Shell to the host, run the pktcap-uw --trace command with options to filter traced packets, save the result to a file and limit the number of traced packets.
    pktcap-uw --trace [filter_options] [--outfile pcap_file_path [--ng]] [--count number_of_packets]

    where the square brackets [] enclose optional items of the pktcap-uw --trace command and the vertical bars | represent alternative values.

    1. Use a filter_options to filter packets according to source and destination address, VLAN ID, VXLAN ID, Layer 3 protocol, and TCP port.

      For example, to monitor packets from a source system that has IP address 192.168.25.113, use the --srcip 192.168.25.113 filter option.

    2. Use options to save the contents of each packet or the contents of a limited number of packets to a .pcap or .pcapng file.
      • To save packets to a .pcap file, use the --outfile option.

      • To save packets to a .pcapng file, use the --ng and --outfile options.

      You can open the file in a network analyzer tool such as Wireshark.

      By default, the pktcap-uw utility saves the packet files to the root folder of the ESXi file system.

      Note:

      A .pcap file contains only the contents of traced packets. To collect packet paths besides packet content, save the output to a .pcapng file.

    3. Use the--count option to monitor only a number of packets.
  2. If you have not limited the number of packets by using the --count option, press Ctrl+C to stop capturing or tracing packets.

What to do next

If the contents of the packet are saved to a file, copy the file from the ESXi host to the system that runs a graphical analyzer tool, such as Wireshark, and open it in the tool to examine the packet details.