Monitor host traffic related to the external network by capturing packets at certain points in the path between a vSphere Standard Switch or vSphere Distributed Switch and a physical adapter.

You can specify a certain capture point in the data path between a virtual switch and a physical adapter, or determine a capture point by traffic direction with regard to the switch and proximity to the packet source or destination. For information about supported capture points, see Capture Points of the pktcap-uw Utility.

Procedure

  1. (Optional) Find the name of the physical adapter that you want to monitor in the host adapter list.
    • In the vSphere Web Client, on the Configure tab for the host, expand Networking and select Physical adapters.
    • In the ESXi Shell to the host, to view a list of the physical adapters and examine their state, run the following ESXCLI command: 
      esxcli network nic list
    Each physical adapter is represented as vmnicX. X is the number that ESXi assigned to the physical adapter port.
  2. In the ESXi Shell to the host, run the pktcap-uw command with the --uplink vmnicX argument and with options to monitor packets at a particular point, filter captured packets and save the result to a file. 
    pktcap-uw --uplink vmnicX [--capture capture_point|--dir 0|1]  [filter_options] [--outfile pcap_file_path [--ng]] [--count number_of_packets]

    where the square brackets [] enclose the options of the pktcap-uw --uplink vmnicX command and the vertical bars | represent alternative values.

    If you run the pktcap-uw --uplink vmnicX command without options, you obtain the content of packets that are incoming to the standard or distributed switch in the console output at the point where they are switched.

    1. Use the --capture option to check packets at another capture point or the --dir option at another traffic direction.
      pktcap-uw Command Option Goal
      --capture UplinkSnd Monitor packets immediately before they enter the physical adapter device.
      --capture UplinkRcv Monitor packets immediately after they are received in the network stack from the physical adapter.
      --dir 1 Monitor packets that leave the virtual switch.
      --dir 0 Monitor packets that enter the virtual switch.
    2. Use a filter_options to filter packets according to source and destination address, VLAN ID, VXLAN ID, Layer 3 protocol, and TCP port.
      For example, to monitor packets from a source system that has IP address 192.168.25.113, use the --srcip 192.168.25.113 filter option.
    3. Use options to save the contents of each packet or the contents of a limited number of packets to a .pcap or .pcapng file.
      • To save packets to a .pcap file, use the --outfile option.
      • To save packets to a .pcapng file, use the --ng and --outfile options.

      You can open the file in a network analyzer tool such as Wireshark.

      By default, the pktcap-uw utility saves the packet files to the root folder of the ESXi file system.

    4. Use the--count option to monitor only a number of packets.
  3. If you have not limited the number of packets by using the --count option, press Ctrl+C to stop capturing or tracing packets.

Example: Capture Packets That Are Received at vmnic0 from an IP Address 192.168.25.113

To capture the first 60 packets from a source system that is assigned the IP address 192.168.25.113 at vmnic0 and save them to a file called vmnic0_rcv_srcip.pcap, run the following pktcap-uw command: 

 pktcap-uw --uplink vmnic0 --capture UplinkRcv --srcip 192.168.25.113 --outfile vmnic0_rcv_srcip.pcap --count 60

What to do next

If the contents of the packet are saved to a file, copy the file from the ESXi host to the system that runs a graphical analyzer tool, such as Wireshark, and open it in the tool to examine the packet details.