Monitor traffic that flows between a virtual switch and a VMXNET3 virtual machine adapter by using the pktcap-uw utility.

You can specify a certain capture point in the data path between a virtual switch and a virtual machine adapter. You can also determine a capture point by traffic direction with regard to the switch and proximity to the packet source or destination. For information about supported capture points, see Capture Points of the pktcap-uw Utility.

Prerequisites

Verify that the virtual machine adapter is of type VMXNET3.

Procedure

  1. On the host, learn the port ID of the virtual machine adapter by using the esxtop utility.
    1. In the ESXi Shell to the host, to start the utility, run esxtop.
    2. To switch to the network panel of the utility, press N.
    3. In the USED-BY column, locate the virtual machine adapter, and write down the PORT-ID value for it.
      The USED-BY field contains the name of the virtual machine and the port to which the virtual machine adapter is connected.
    4. Press Q to exit esxtop.
  2. In the ESXi Shell, run pktcap-uw --switchport port_ID.
    port_ID is the ID that the esxtop utility displays for the virtual machine adapter in the PORT-ID column.
  3. In the ESXi Shell, run the pktcap-uw command with the --switchport port_ID argument and with options to monitor packets at a particular point, filter captured packets and save the result to a file. 
    pktcap-uw --switchport port_ID [--capture capture_point|--dir 0|1 --stage 0|1]  [filter_options] [--outfile pcap_file_path [--ng]] [--count number_of_packets]

    where the square brackets [] enclose the options of the pktcap-uw --switchport port_ID command and the vertical bars | represent alternative values.

    If you run the pktcap-uw --switchport port_ID command without options, you obtain the content of packets that are incoming to the standard or distributed switch in the console output at the point when they are switched.

    1. To check packets at another capture point or direction in the path between the guest operating system and the virtual switch, use the --capture option or combine the values of the --dir and --stage options.
      pktcap-uw Command Options Goal
      --capture VnicTx Monitor packets when they pass from the virtual machine to the switch.
      --capture VnicRx Monitor packets when they arrive to the virtual machine.
      --dir 1 --stage 0 Monitor packets immediately after they leave the virtual switch.
      --dir 1 Monitor packets immediately before they enter the virtual machine.
      --dir 0 --stage 1 Monitor packets immediately after they enter the virtual switch.
    2. Use a filter_options to filter packets according to source and destination address, VLAN ID, VXLAN ID, Layer 3 protocol, and TCP port.
      For example, to monitor packets from a source system that has IP address 192.168.25.113, use the --srcip 192.168.25.113 filter option.
    3. Use options to save the contents of each packet or the contents of a limited number of packets to a .pcap or .pcapng file.
      • To save packets to a .pcap file, use the --outfile option.
      • To save packets to a .pcapng file, use the --ng and --outfile options.

      You can open the file in a network analyzer tool such as Wireshark.

      By default, the pktcap-uw utility saves the packet files to the root folder of the ESXi file system.

    4. Use the--count option to monitor only a number of packets.
  4. If you have not limited the number of packets by using the --count option, press Ctrl+C to stop capturing or tracing packets.

Example: Capture Packets That Are Received at a Virtual Machine from an IP Address 192.168.25.113

To capture the first 60 packets from a source that is assigned the IP address 192.168.25.113 when they arrive at a virtual machine adapter with port ID 33554481 and save them to a file called vmxnet3_rcv_srcip.pcap, run the following pktcap-uw command: 

 pktcap-uw --switchport 33554481 --capture VnicRx --srcip 192.168.25.113 --outfile vmxnet3_rcv_srcip.pcap --count 60

What to do next

If the contents of the packet are saved to a file, copy the file from the ESXi host to the system that runs a graphical analyzer tool, such as Wireshark, and open it in the tool to examine the packet details.