VMware – capturing network packets

There are two utilities available on ESXi host out of the box that enable us to capture network traffic:

  • tcpdump (limited only to capturing traffic from vmkernel adapters)
  • pktcap
tcpdump

To list vmkernel adapters use esxcfg-vmknic -l command

tcpdump-uw -i vmk0 -s 0 -nn -e
notes:
-s 0 – indicates that we capture the entire packet (as opposed truncated packets)
-nn – indicates that we want to use numbers instead of names for the IP addresses, and for the portnumber a number instead of the service name
-e – will list ethernet headers in addition to all other information

To filter the traffic I can list i.e. port number:
tcpdump-uw -i vmk0 -s 0 -nn -e port 80

To generate traffic on that port I could use for example
nc -z host.IP.address 80
from another host/system

To save the output to a file use -w switch
tcpdump-uw -i vmk0 -s 0 -nn -e port 80 -w /vmfs/volumes/share/capture.pcap

Then to analize it copy it to system with i.e. Wireshar and open it from within.

 

pktcap

It is used to monitor traffic that flows through physical network adapters, VMkernel adapters, and virtual machines adapters, and analyze packet information by using the graphical user interface of network analysis tools such as Wireshark.

Example:
To capture packets on a switch port
First get the switch port from esxtop (press n to get the networking view) and look at the PORT-ID column
pktcap-uw --switchport 33554433
to save the output to a file use the -o switch followed by file location/name.pcap

Leave a Reply

Your email address will not be published. Required fields are marked *

3 × four =

This site uses Akismet to reduce spam. Learn how your comment data is processed.