So before ESXi 5.5 if we wanted to perform a packet capture natively from the ESXi box using standard switches we could only use the tcpdump-uw tool, which only allowed us to capture traffic on individual VMkernel ports. Not very useful if there’s a problem on a standard vSwitch that only has virtual machine traffic on it. With dvSwitch, we can do port mirroring and netflow, but that left the sad little standard switch outside in the bitter cold when it came time to troubleshoot non-vmkernel traffic.
Good news space heroes, released with 5.5 is the newly minted pktcap-uw tool which allows you to specify any uplink for packet capture.
For example, to capture 100 packets on on vmnic1 and output it as a pcap file into /tmp:
pktcap-uw –uplink vmnic1 –outfile /tmp/vmnic1cap.pcap -P -c 100
From here we can use a WinSCP or other file transfer to download the pcap file and load it into Wireshark.
pktcap-uw -h yields the help message with all usage options, including source and destination IP/mac filters.
Packet Capture and Trace command usage:
== Create session to capture packets ==
pktcap-uw [–capture <capture point> | [–dir <0/1>] [–stage <0/1>]]
[–switchport <PortID> | –vmk <vmknic> | –uplink <vmnic> |
–dvfilter <filter name>]
–lifID <lif id for vdr>]
[-f [module name.]<function name>]
[-AFhP] [-p|–port <Socket PORT>]
[-c|–count <number>] [-s|–snapLen <length>]
[-o|–outfile <FILE>] [–console]
[Flow filter options]
== Create session to trace packets path ==
pktcap-uw –trace
[-AFhP] [-p|–port <Socket PORT>]
[-c|–count <number>] [-s|–snapLen <length>]
[-o|–outfile <FILE>] [–console]
[Flow filter options]
The command options:
-p, –port <Socket PORT>
Specify the port number of vsocket server.
-o, –outfile <FILE>
Specify the file name to dump the packets. If unset,
output to console by default
-P, –ng (only working with ‘-o’)
Using the pcapng format to dump into the file.
–console (by default if without ‘-o’)
Output the captured packet info to console.
-s, –snaplen <length>
Only capture the first <length> packet buffer.
-c, –count <NUMBER>
How many count packets to capture.
-h
Print this help.
-A, –availpoints
List all capture points supported.
-F
List all dynamic capture point functions supported.
–capture <capture point>
Specify the capture point. Use ‘-A’ to get the list.
If not specified, will select the capture point
by –dir and –stage setting
The switch port options:
(for Port, Uplink and Etherswitch related capture points)
–switchport <port ID>
Specify the switch port by ID
–lifID <lif ID>
Specify the logical interface id of VDR port
–vmk <vmk NIC>
Specify the switch port by vmk NIC
–uplink <vmnic>
Specify the switch port by vmnic
The capture point auto selection options without –capture:
–dir <0|1> (for –switchport, –vmk, –uplink)
The direction of flow: 0- Rx (Default), 1- Tx
–stage <0|1> (for –switchport, –vmk, –uplink, –dvfilter)
The stage at which to capture: 0- Pre: before, 1- Post:After
The capture point options
-f [module name.]<function name>
The function name. The Default module name is ‘vmkernel’.
(for ‘Dynamic’, ‘IOChain’ and ‘TcpipDispatch’ capture points)
–dvfilter <filter name>
Specify the dvfilter name for DVFilter related points
Flow filter options, it will be applied when set:
–srcmac <xx:xx:xx:xx:xx>
The Ethernet source MAC address.
–dstmac <xx:xx:xx:xx:xx>
The Ethernet destination MAC address.
–mac <xx:xx:xx:xx:xx>
The Ethernet MAC address(src or dst).
–ethtype 0x<ETHTYPE>
The Ethernet type. HEX format.
–vlan <VLANID>
The Ethernet VLAN ID.
–srcip <x.x.x.x[/<range>]>
The source IP address.
–dstip <x.x.x.x[/<range>]>
The destination IP address.
–ip <x.x.x.x>
The IP address(src or dst).
–proto 0x<IPPROTYPE>
The IP protocol.
–srcport <SRCPORT>
The TCP source port.
–dstport <DSTPORT>
The TCP destination port.
–tcpport <PORT>
The TCP port(src or dst).
–vxlan <vxlan id>
The vxlan id of flow.
For more information, this KB has information.
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1031186
Like this:
Like Loading...
Related
elgwhoppo's vNotebook 