Troubleshoot lost connectivity by capturing dropped packets through the pktcap-uw utility.

A packet might be dropped at a point in the network stream for many reasons, for example, a firewall rule, filtering in an IOChain and DVfilter, VLAN mismatch, physical adapter malfunction, checksum failure, and so on. You can use the pktcap-uw utility to examine where packets are dropped and the reason for the drop.


  1. In the ESXi Shell to the host, run the pktcap-uw --capture Drop command with options to monitor packets at a particular point, filter captured packets and save the result to a file.
    pktcap-uw --capture Drop [filter_options] [--outfile pcap_file_path [--ng]] [--count number_of_packets]

    where the square brackets [] enclose the options of the pktcap-uw --capture Drop command and the vertical bars | represent alternative values.

    1. Use a filter_options to filter packets according to source and destination address, VLAN ID, VXLAN ID, Layer 3 protocol, and TCP port.
      For example, to monitor packets from a source system that has IP address, use the --srcip filter option.
    2. Use options to save the contents of each packet or the contents of a limited number of packets to a .pcap or .pcapng file.
      • To save packets to a .pcap file, use the --outfile option.
      • To save packets to a .pcapng file, use the --ng and --outfile options.

      You can open the file in a network analyzer tool such as Wireshark.

      By default, the pktcap-uw utility saves the packet files to the root folder of the ESXi file system.

      Note: You can see the reason and the place where a packet is dropped only when you capture packets to the console output. The pktcap-uw utility saves only the content of packets to a .pcap or .pcapng file.
    3. Use the--count option to monitor only a number of packets.
  2. If you have not limited the number of packets by using the --count option, press Ctrl+C to stop capturing or tracing packets.


Besides the contents of dropped packets, the output of the pktcap-uw utility displays the reason for the drop and the function in the network stack that handled the packet last.

What to do next

If the contents of the packet are saved to a file, copy the file from the ESXi host to the system that runs a graphical analyzer tool, such as Wireshark, and open it in the tool to examine the packet details.