Use the PacketCapture utility to diagnose networking problems such as slow connection, lost packets, and connectivity problems

About this task

PacketCapture is a lightweight tcpdump utility that captures and stores only the minimum amount of data that is needed to diagnose the network problem. PacketCapture is integrated in the rhttpproxy service of ESXi and vCenter Server Appliance. You start and stop PacketCapture by editing the rhttpproxy service XML configuration file.

Procedure

  1. Start capturing packets.
    1. Open an SSH connection and log in to the ESXi host or vCenter Server Appliance.
    2. Open the config.xml file for editing.

      vSphere Component

      File Location

      ESXi

      /etc/vmware/rhttpproxy/config.xml

      vCenter Server Appliance

      /etc/vmware-rhttpproxy/config.xml

    3. Make the following changes.
      <config>
        <packetCapture>
          <enabled>true</enabled>
    4. (Optional) Configure PacketCapture options.

      Option and Default Value

      Description

      <validity>72</validity>

      On startup delete all pcap and pcap.gz files that were last modified before the specified period of hours and are not part of the current process.

      <directory>/directory_path</directory>

      The directory in which pcap and pcap.gz files are stored. The directory must exist and be accessible.

      <maxDataInPcapFile>52428800</maxDataInPcapFile>

      The amount of captured data in bytes that each pcap and pcap.gz file can store before rolling over to the next file. The minimum size is 5 MB on vCenter Server Appliance and 2.5MB on ESXi.

      Note:

      Storing 50 MB of captured data in a pcap file requires a pcap file of about 67.5 MB.

      <maxPcapFilesCount>5</maxPcapFilesCount>

      The number of pcap or pcap.gz files to rotate. The minimum number is 2.

    5. Save and close the config.xml file.
    6. Reload the config.xml file by running the following command.

      kill -SIGHUP `pidof rhttpproxy`

  2. Stop capturing packets.
    1. Open an SSH connection and log in to the ESXi host or vCenter Server Appliance.
    2. Open the config.xml file for editing.
    3. Make the following changes.
      <config>
        <packetCapture>
          <enabled>false</enabled>
    4. Save and close the config.xml file.
    5. Reload the config.xml file by running the following command.

      kill -SIGHUP `pidof rhttpproxy`

  3. Collect the captured data.

    The pcap or pcap.gz files are stored in the following default directories.

    vSphere Component

    File Location

    ESXi

    /var/run/log

    vCenter Server Appliance

    /var/log/vmware/rhttpproxy

What to do next

Copy the pcap and pcap.gz files to a system that runs a network analyzer tool, such as Wireshark, and examine the packet details.

Before you analyze the pcap and pcap.gz captured from an ESXi host, use the TraceWrangler utility to fix the frame size metadata. For more information, see https://kb.vmware.com/kb/52843