Packet Captures in ESXi using tcpdump-uw

Products

VMware vSphere ESXi

Issue/Introduction

This article provides information on capturing network traces in ESXi. Capturing network traces will help to investigate network problems.

Environment

VMware ESXi 6.x

VMware ESXi 7.x

VMware ESXi 8.x

Resolution

To capture the network traces in ESXi use the tcpdump-uw command in the SSH Shell of the ESXi host.

Note: For more information, see Using ESXi Shell.

The tcpdump-uw command is based on the standard tcpdump utility. Network traces are captured from the perspective of a network interface. The examples in this article use vmk0, though any VMKernel network interface could be used.

Capturing network traces with tcpdump-uw

To list the vmkernel interfaces, use the esxcfg-vmknic command with the -l option:
```
# esxcfg-vmknic -l
```
To display packets on the vmkernel interface vmk0, use the tcpdump-uw command with the -i option:
```
# tcpdump-uw -i vmk0
```
Note:
- By default, the tcpdump and tcpdump-uw commands capture only the first 68 bytes of data from a packet.
- For more information, Packet capture on ESXi using the pktcap-uw tool
To capture the entire packet, use the tcpdump-uw command with the -s option with a value of 1514 for normal traffic and 9014 if Jumbo Frames are enabled.

Normal traffic: #
```
tcpdump-uw -i vmk0 -s 1514
```
Jumbo Frames enabled:
```
# tcpdump-uw -i vmk0 -s 9014 -B 9 
```
Note: By default, tcpdump-uw can only capture a maximum of 8138 bytes due to buffer constraints. The -B 9 option increases the buffer to allow the capture of up to 9014 bytes.
To display all of the packets on vmk0 with verbose detail, use the tcpdump-uw command with the -vvv option:
```
# tcpdump-uw -i vmk0 -s 1514 -vvv
```
Note: Refer the help page for tcpdump-uw command for more -v options.
To display only the TCP packets on vmk0, use the tcp option with the tcpdump-uw command.
```
# tcpdump-uw -i vmk0 -s 1514 tcp
```
To see traffic to/from only a single IP address, use the host option:
```
# tcpdump-uw -i vmk0 -s 1514 host x.x.x.x
```
To avoid seeing unwanted traffic types in the tcpdump-uw output, use the not option. For example, to filter out DNS and SSH traffic, use the following command:
```
# tcpdump-uw -i vmk0 -s 1514 port not 22 and port not 53
```
Note: This is useful when doing a packet capture on a VMkernel interface when that same interface is also being used for an active SSH session.
To save the dump in pcap format for later use with Wireshark, use the traffic.pcap option.
```
# tcpdump-uw -i vmk0 -s 1514 -w traffic.pcap
```
If the trace is running for long time, split the trace pcap file to chunks of desired size using the-C option.
```
# tcpdump-uw -i vmk0 -s 1514 -C 100M -w /var/tmp/test.pcap
```
To limit the log files to a specified number, use the -W option. Use this option if a trace must be set running for a long period of time, waiting for an even to occur.

For example:
```
# tcpdump-uw -i vmk0 -s 1514 -C 100M -W 10 -w /var/tmp/test.pcap
```
This command creates 10 trace files of size 100MB each. This ensures that the ESXi host will not run out of storage space.

Note: This option has the same effect of rotating the log files.

Additional Information

By default, packet captures on the vmkernel network interface (vmk) only captures the network traffic moving to and from the vmkernel on that interface. It does not capture other traffic moving across the Virtual Switch.

To capture all traffic moving across the Virtual Switch:

Use a third-party packet sniffer software inside one of the virtual machines on the vSwitch.
The network interface of the virtual machine will need to be configured for promiscuous mode. For more/related information, see Configuring promiscuous mode on a virtual switch or portgroup.