Monitor packets that are exchanged between a VMkernel adapter and a virtual switch by using the pktcap-uw utility.

You can capture packets at a certain capture point in the flow between a virtual switch and a VMkernel adapter. You can also determine a capture point by traffic direction with regard to the switch and proximity to the packet source or destination. For information about supported capture points, see Capture Points of the pktcap-uw Utility.

Procedure

  1. (Optional) Find the name of the VMkernel adapter that you want to monitor in the VMkernel adapter list.
    • In the vSphere Web Client, expand Networking on the Configure tab for the host and select VMkernel adapters.
    • In the ESXi Shell to the host, to view a list of the physical adapters, run the following console command: 
      esxcli network ip interface list
    Each VMkernel adapter is represented as vmkX, where X is the sequence number that ESXi assigned to the adapter.
  2. In the ESXi Shell to the host, run the pktcap-uw command with the --vmk vmkX argument and with options to monitor packets at a particular point, filter captured packets and save the result to a file. 
    pktcap-uw --vmk vmkX [--capture capture_point|--dir 0|1 --stage 0|1]  [filter_options] [--outfile pcap_file_path [--ng]] [--count number_of_packets]

    where the square brackets [] enclose the options of the pktcap-uw --vmk vmkX command and the vertical bars | represent alternative values.

    You can replace the --vmk vmkX option with --switchport vmkernel_adapter_port_ID, where vmkernel_adapter_port_ID is the PORT-ID value that the network panel of the esxtop utility displays for the adapter.

    If you run the pktcap-uw --vmk vmkX command without options, you obtain the content of packets that are leaving the VMkernel adapter.

    1. To check transmitted or received packets at a specific place and direction, use the --capture option, or combine the values of the --dir and --stage options.
      pktcap-uw Command Options Goal
      --dir 1 --stage 0 Monitor packets immediately after they leave the virtual switch.
      --dir 1 Monitor packets immediately before they enter the VMkernel adapter.
      --dir 0 --stage 1 Monitor packets immediately before they enter the virtual switch.
    2. Use a filter_options to filter packets according to source and destination address, VLAN ID, VXLAN ID, Layer 3 protocol, and TCP port.
      For example, to monitor packets from a source system that has IP address 192.168.25.113, use the --srcip 192.168.25.113 filter option.
    3. Use options to save the contents of each packet or the contents of a limited number of packets to a .pcap or .pcapng file.
      • To save packets to a .pcap file, use the --outfile option.
      • To save packets to a .pcapng file, use the --ng and --outfile options.

      You can open the file in a network analyzer tool such as Wireshark.

      By default, the pktcap-uw utility saves the packet files to the root folder of the ESXi file system.

    4. Use the--count option to monitor only a number of packets.
  3. If you have not limited the number of packets by using the --count option, press Ctrl+C to stop capturing or tracing packets.

What to do next

If the contents of the packet are saved to a file, copy the file from the ESXi host to the system that runs a graphical analyzer tool, such as Wireshark, and open it in the tool to examine the packet details.