VMware vSphere ESXi
As a starting point, bookmark, and visit ESXi Network Troubleshooting Tools
At the above link, scroll down to the section title "Pktcap-uw".
Under that title, look for the following graphic:
Packet captures are done by entering commands at the command line of a session via SSH (or Server Console access via KVM -- “Keyboard, Video (monitor), Mouse.”) with root access privileges.
There are a variety of points at which a traffic can be captured, depending on the type of switch in use for example standard vSwitch or a Distributed Virtual Switch (DVS).
And, capture output can be directed to the user's screen and displayed (by parsing the output with the tcpdump-uw tool), or it can be directed to a disk file which can then be downloaded and analyzed with a tool such as Wireshark.
Plan on directing the output to a disk file, please NEVER use the /tmp directory as a place to put the data.
Instead, first determine what datastores are available to the ESXi host using the command:
df -h
Then , change to the datastore
cd /vmfs/volumes/FULL_PATH_TO_DATASTORE
Enter the full path for the FULL_PATH_TO_DATASTORE above.
NOTE: When sending the data to a VSAN datastore, enclose the command in quotes, such as:
cd "/vmfs/volumes/FULL_PATH_TO_DATASTORE"
ALSO NOTE: As a general rule, when doing captures from multiple ESXi hosts, it makes the most sense to use a datastore that is accessible from all of those hosts.
It is also a good idea to create a sub-folder or sub-directory at that datastore, such as, for example, "CASE_12345678" where instead of "12345678", use the Broadcom Support Case Number.
Example:
cd "/vmfs/volumes/FULL_PATH_TO_DATASTORE"
mkdir Case_12345678
in vSwitch i.e. switchport and uplink.
Switchport connects to all the vNIC and vmk adapters and uplink is the actual physical NIC (vmnic).
We will first identify the capture point based on the issue and apply the command syntax accordingly.
In the below diagram not the architecture and how VM’s, kernel and physical adapters are connected.
vSwitch_name
/ports/switchport_number/teamuplink"Note: For vSwitch name and switchport number refer to "net-stats -l" output.
As an example, trace a particular vSwitch port and its associated uplink at the same time:
Identify and make a note these parameters:
Port ID returned by the esxtop command — --switchport 12345678
vmnic2 physical port to trace — --uplink vmnic2 -
location of the output pcap file — /vmfs/volumes/FULL_PATH_TO_DATASTORE/Case_12345678/
Note: The command shell we assume here is the Bash shell. Therefore, if more than one uplink on the vswitch, just add the command after the ending & and add a & at the end.
When doing only a single capture, omit the "&"
To stop a single capture, press and hold the "CTRL" key and touch "C".
Expect to see a number of messages on the screen as the packets are being captured.
For better viewing while this is happening, start a duplicate session using SSH.
Per the diagram, there are found different capture points.
1) The closest capture point to the physical infrastructure (i.e. the entry / exit point between the ESXi hypervisor and the physical infrastructure, is called the --uplink capture point.
pktcap-uw --uplink vmnic2 --capture UplinkSndKernel,UplinkRcvKernel -o /vmfs/volumes/FULL_PATH_TO_DATASTORE/Case_12345678/esxi01.uplink.vmnic2.UplinkSndRcvKernel.pcapng &
pktcap-uw --uplink vmnic2 --capture UplinkSndKernel,UplinkRcvKernel -o - | tcpdump-uw -r - -enn
NOTES:
a) To terminate the capture if when directing the output to a file:
kill $(lsof |grep pktcap-uw |awk '{print $1}'| sort -u)
b) To terminate the capture when directing the output to the screen: Press and hold the CTRL key and touch "C".
2) The capture point closest to the actual virtual machine's virtual NIC is called the --switchport capture point.
pktcap-uw --switchport 67108879 ---capture VnicTx,VnicRx -o /vmfs/volumes/FULL_PATH_TO_DATASTORE/Case_12345678/esxi01.switchport.67108879.VnicTxRx.pcapng &
pktcap-uw --switchport 67108879 ---capture VnicTx,VnicRx -o - | tcpdump-uw -r - -enn
3) The other two capture points are shown in the OVERVIEW diagram at the top of this RESOLUTION section, and generally are only used when working with a Broadcom Technical Support Engineer (TSE), during an investigation via a Broadcom Support Case.
2) Consider adding an IP address, such as in this example:
pktcap-uw --switchport 67108879 ---capture VnicTx,VnicRx -s 256 --ip AAA.BBB.CCC.DDD -o /vmfs/volumes/FULL_PATH_TO_DATASTORE/Case_12345678/esxi01.switchport.67108879.VnicTxRx.pcapng &
3) Consider adding a Protocol type, such as ICMP for Ping Requests and Replies, such as in this example:
pktcap-uw --switchport 67108879 ---capture VnicTx,VnicRx -s 256 --ip AAA.BBB.CCC.DDD --proto 0x01 -o /vmfs/volumes/FULL_PATH_TO_DATASTORE/Case_12345678/esxi01.switchport.67108879.VnicTxRx.pcapng &
RELATED LINKS :
https://knowledge.broadcom.com/external/article/377453/considerations-to-run-pktcapuw-under-hea.html