Learn how to use the PacketCapture utility to diagnose networking problems such as slow connection, lost packets, and connectivity problems

PacketCapture is a lightweight tcpdump utility that captures and stores only the minimum amount of data that is needed to diagnose the network problem. PacketCapture is integrated in the rhttpproxy service of ESXi and vCenter Server. You start and stop PacketCapture by editing the rhttpproxy service XML configuration file.
Note: For ESXi 8.0 and earlier, the process for enabling network packet captures was by editing the rhttpproxy service XML configuration file. Starting ESXi 8.0 Update 1 and later, reverse proxy configuration has been moved from XML files to the configstore database. To enable, Capture Network Packets with configstorecli, see https://kb.vmware.com/s/article/89489.

Procedure

  1. Start capturing packets.
    1. Open an SSH connection and log in to the ESXi host or vCenter Server.
    2. Open the config.xml file for editing.
      vSphere Component File Location
      ESXi /etc/vmware/rhttpproxy/config.xml
      vCenter Server /etc/vmware-rhttpproxy/config.xml
    3. Make the following changes. 
      <config>
  <packetCapture>
    <enabled>true</enabled>
    4. (Optional) Configure PacketCapture options.
      Option and Default Value Description
      <validity>72</validity> On startup delete all pcap and pcap.gz files that were last modified before the specified period of hours and are not part of the current process.
      <directory>/directory_path</directory> The directory in which pcap and pcap.gz files are stored. The directory must exist and be accessible.
      <maxDataInPcapFile>52428800</maxDataInPcapFile> The amount of captured data in bytes that each pcap and pcap.gz file can store before rolling over to the next file. The minimum size is 5 MB on vCenter Server and 2.5MB on ESXi.
      Note: Storing 50 MB of captured data in a pcap file requires a pcap file of about 67.5 MB.
      <maxPcapFilesCount>5</maxPcapFilesCount> The number of pcap or pcap.gz files to rotate. The minimum number is 2.
    5. Save and close the config.xml file.
    6. Reload the config.xml file by running the following command.
      kill -SIGHUP `pidof rhttpproxy`
  2. Stop capturing packets.
    1. Open an SSH connection and log in to the ESXi host or vCenter Server.
    2. Open the config.xml file for editing.
    3. Make the following changes. 
      <config>
  <packetCapture>
    <enabled>false</enabled>
    4. Save and close the config.xml file.
    5. Reload the config.xml file by running the following command.
      kill -SIGHUP `pidof rhttpproxy`
  3. Collect the captured data.
    The pcap or pcap.gz files are stored in the following default directories.
    vSphere Component File Location
    ESXi /var/run/log
    vCenter Server /var/log/vmware/rhttpproxy

What to do next

Copy the pcap and pcap.gz files to a system that runs a network analyzer tool, such as Wireshark, and examine the packet details.

Before you analyze the pcap and pcap.gz captured from an ESXi host, use the TraceWrangler utility to fix the frame size metadata. For more information, see https://kb.vmware.com/kb/52843