Capturing a network trace in ESXi using Tech Support Mode or ESXi Shell
search cancel

Capturing a network trace in ESXi using Tech Support Mode or ESXi Shell

book

Article ID: 311229

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

This article provides information on capturing network traces in ESXi 4.0 Update 1, ESXi 4.1, and ESXi 5.x. You may want to capture the network traces to investigate network problems.


Environment

VMware ESXi 4.0.x Embedded
VMware ESXi 4.0.x Installable
VMware vSphere ESXi 5.1
VMware ESXi 4.1.x Installable
VMware ESXi 4.1.x Embedded
VMware vSphere ESXi 5.0
VMware vSphere ESXi 5.5

Resolution

To capture the network traces in ESXi 4.x and ESXi 5.x, you can use the tcpdump-uw command in the Tech Support Mode.

Note: In ESXi 5.x, Tech Support Mode is replaced by ESXi Shell. For more information, see Using ESXi Shell in ESXi 5.0 and 5.1 (2004746).
 
The tcpdump-uw command is based on the standard tcpdump utility. Network traces are captured from the perspective of a network interface. The examples in this article use vmk0, though any VMKernel network interface could be used.

Capturing network traces with tcpdump-uw

  • To list the vmkernel interfaces, use the esxcfg-vmknic command with the -l option:

    # esxcfg-vmknic -l
     
  • To display packets on the vmkernel interface vmk0, use the tcpdump-uw command with the -i option:

    # tcpdump-uw -i vmk0

    Note:
  • To capture the entire packet, use the tcpdump-uw command with the -s option with a value of 1514 for normal traffic and 9014 if Jumbo Frames are enabled.

    Normal traffic: # tcpdump-uw -i vmk0 -s 1514
    Jumbo Frames enabled: # tcpdump-uw -i vmk0 -s 9014 -B 9

    Note: By default, tcpdump-uw can only capture a maximum of 8138 bytes due to buffer constraints. The -B 9 option increases the buffer to allow the capture of up to 9014 bytes.
     
  • To display all of the packets on vmk0 with verbose detail, use the tcpdump-uw command with the -vvv option:

    # tcpdump-uw -i vmk0 -s 1514 -vvv

    Note: Refer the help page for tcpdump-uw command for more -v options.
     
  • To display only the TCP packets on vmk0, use the tcp option with the tcpdump-uw command.

    # tcpdump-uw -i vmk0 -s 1514 tcp
     
  • To see traffic to/from only a single IP address, you can use the host option:

    # tcpdump-uw -i vmk0 -s 1514 host x.x.x.x
     
  • To avoid seeing unwanted traffic types in the tcpdump-uw output, use the not option. For example, to filter out DNS and SSH traffic, use the following command:

    # tcpdump-uw -i vmk0 -s 1514 port not 22 and port not 53

    Note: This is useful when doing a packet capture on a VMkernel interface when that same interface is also being used for an active SSH session.
     
  • To save the dump in pcap format for later use with Wireshark, use the traffic.pcap option.

    # tcpdump-uw -i vmk0 -s 1514 -w traffic.pcap
     
  • If the trace is running for long time, you can split the trace pcap file to chunks of desired size using the-C option.

    # tcpdump-uw -i vmk0 -s 1514 -C 100M -w /var/tmp/test.pcap
     
  • To limit the log files to a specified number, you can use the -W option. You can use this option if a trace must be set running for a long period of time, waiting for an even to occur.

    For example:

    # tcpdump-uw -i vmk0 -s 1514 -C 100M -W 10 -w /var/tmp/test.pcap

    This command creates 10 trace files of size 100MB each. This ensures that you do not run out of space on ESX.

    Note: This option has the same effect of rotating the log files.



Additional Information

By default, packet captures on the vmkernel network interface (vmk) only captures the network traffic moving to and from the vmkernel on that interface. It does not capture other traffic moving across the Virtual Switch.

To capture all traffic moving across the Virtual Switch:

Using the pktcap-uw tool in ESXi 5.5 and later