Examine how packets change when they pass through a vSphere Network Appliance (DVFilter).

DVFilters are agents that reside in the stream between a virtual machine adapter and a virtual switch. They intercept packets to protect virtual machines from security attacks and unwanted traffic.


  1. (Optional) To find the name of the DVFilter that you want to monitor, in the ESXi Shell, run the summarize-dvfilter command.
    The output of the command contains the fast-path and slow-path agents of the DVFilters that are deployed on the host.
  2. Run the pktcap-uw utility with the --dvfilter dvfilter_name argument and with options to monitor packets at a particular point, filter captured packets and save the result to a file.
    pktcap-uw --dvFilter dvfilter_name --capture PreDVFilter|PostDVFilter [filter_options] [--outfile pcap_file_path [--ng]] [--count number_of_packets]

    where the square brackets [] enclose optional items of the pktcap-uw --dvFilter vmnicX command and the vertical bars | represent alternative values.

    1. Use the --capture option to monitor packets before or after the DVFilter intercepts them.
      pktcap-uw Command Option Goal
      --capture PreDVFilter Capture packets before they enter the DVFilter.
      --capture PostDVFilter Capture packets after they leave the DVFilter.
    2. Use a filter_options to filter packets according to source and destination address, VLAN ID, VXLAN ID, Layer 3 protocol, and TCP port.
      For example, to monitor packets from a source system that has IP address, use the --srcip filter option.
    3. Use options to save the contents of each packet or the contents of a limited number of packets to a .pcap or .pcapng file.
      • To save packets to a .pcap file, use the --outfile option.
      • To save packets to a .pcapng file, use the --ng and --outfile options.

      You can open the file in a network analyzer tool such as Wireshark.

      By default, the pktcap-uw utility saves the packet files to the root folder of the ESXi file system.

    4. Use the--count option to monitor only a number of packets.
  3. If you have not limited the number of packets by using the --count option, press Ctrl+C to stop capturing or tracing packets.

What to do next

If the contents of the packet are saved to a file, copy the file from the ESXi host to the system that runs a graphical analyzer tool, such as Wireshark, and open it in the tool to examine the packet details.