Monitor traffic that flows between a virtual switch and a VMXNET3 virtual machine adapter by using the pktcap-uw utility.
You can specify a certain capture point in the data path between a virtual switch and a virtual machine adapter. You can also determine a capture point by traffic direction with regard to the switch and proximity to the packet source or destination. For information about supported capture points, see Capture Points of the pktcap-uw Utility.
Prerequisites
Verify that the virtual machine adapter is of type VMXNET3.
Procedure
- On the host, learn the port ID of the virtual machine adapter by using the esxtop utility.
- In the ESXi Shell to the host, to start the utility, run esxtop.
- To switch to the network panel of the utility, press n.
- In the USED-BY column, locate the virtual machine adapter, and write down the PORT-ID value for it.
The USED-BY field contains the name of the virtual machine and the port to which the virtual machine adapter is connected.
- Press Q to exit esxtop.
- In the ESXi Shell, run
pktcap-uw --switchport port_ID
.
port_ID is the ID that the
esxtop utility displays for the virtual machine adapter in the PORT-ID column.
- In the ESXi Shell, run the pktcap-uw command with the
--switchport port_ID
argument and with options to monitor packets at a particular point, filter captured packets and save the result to a file.
pktcap-uw --switchport port_ID [--capture capture_point|--dir 0|1 --stage 0|1] [filter_options] [--outfile pcap_file_path [--ng]] [--count number_of_packets]
where the square brackets [] enclose the options of the pktcap-uw --switchport port_ID
command and the vertical bars | represent alternative values.
If you run the pktcap-uw --switchport port_ID
command without options, you obtain the content of packets that are incoming to the standard or distributed switch in the console output at the point when they are switched.
- To check packets at another capture point or direction in the path between the guest operating system and the virtual switch, use the --capture option or combine the values of the --dir and --stage options.
pktcap-uw Command Options |
Goal |
--capture VnicTx |
Monitor packets when they pass from the virtual machine to the switch. |
--capture VnicRx |
Monitor packets when they arrive to the virtual machine. |
--dir 1 --stage 0 |
Monitor packets immediately after they leave the virtual switch. |
--dir 1 |
Monitor packets immediately before they enter the virtual machine. |
--dir 0 --stage 1 |
Monitor packets immediately after they enter the virtual switch. |
- Use a filter_options to filter packets according to source and destination address, VLAN ID, VXLAN ID, Layer 3 protocol, and TCP port.
For example, to monitor packets from a source system that has IP address 192.168.25.113, use the
--srcip 192.168.25.113
filter option.
- Use options to save the contents of each packet or the contents of a limited number of packets to a .pcap or .pcapng file.
- To save packets to a .pcap file, use the --outfile option.
- To save packets to a .pcapng file, use the --ng and --outfile options.
You can open the file in a network analyzer tool such as Wireshark.
By default, the pktcap-uw utility saves the packet files to the root folder of the ESXi file system.
- Use the--count option to monitor only a number of packets.
- If you have not limited the number of packets by using the --count option, press Ctrl+C to stop capturing or tracing packets.
Example: Capture Packets That Are Received at a Virtual Machine from an IP Address 192.168.25.113
To capture the first 60 packets from a source that is assigned the IP address 192.168.25.113 when they arrive at a virtual machine adapter with port ID 33554481 and save them to a file called vmxnet3_rcv_srcip.pcap, run the following pktcap-uw command:
pktcap-uw --switchport 33554481 --capture VnicRx --srcip 192.168.25.113 --outfile vmxnet3_rcv_srcip.pcap --count 60
What to do next
If the contents of the packet are saved to a file, copy the file from the ESXi host to the system that runs a graphical analyzer tool, such as Wireshark, and open it in the tool to examine the packet details.