When initiating packet captures on multiple NSX-T interfaces (<Interface-1> and <Interface-2>) from two separate SSH sessions, it's possible for both sessions to end up using the same default span interface, "span0." As a result, the packets from both interfaces will be mirrored and displayed on that single span interface. By default, the NSX-T system allows a single span interface to handle multiple interfaces, which may lead to overlapping packet captures and mirrored packets from different interfaces on the same span.

To ensure exclusive packet captures for each interface and avoid displaying mirrored packets, it's necessary to configure dedicated spans for individual interfaces. This KB article provides step-by-step instructions on how to assign separate spans for each NSX-T interface to achieve exclusive packet captures.

VMware NSX
VMware NSX-T Data Center

Steps to configure exclusive packet capture:

1. Open two separate SSH sessions to the NSX-T Edge Node where packet captures to be performed.

2. In the first SSH session, run the following command to start capturing packets on <Interface-1> and direct them to span-1:
set capture session 0 <Interface-1> direction dual

3. In the second SSH session, run the following command to start capturing packets on <Interface-2> and direct them to span-2:
set capture session 1 <Interface-2> direction dual

Note: By explicitly specifying the capture session number (1 and 2), its ensured that each interface has its own dedicated span for capturing packets.

4. The system will create separate span interfaces (span-1 and span-2) for each capture session, and each interface will have its exclusive span for capturing packets.

5. To confirm that the packet captures are exclusive for each interface, the following command in a third SSH session can be ran
get capture session

If both interfaces (<Interface-1> and <Interface-2>) are listed under separate capture sessions (e.g., session 1 and session 2), it indicates that they are capturing packets exclusively on their respective spans, and the mirroring of packets on "span0" has been avoided.

edge> get capture session
Packet Capture Session
ID                   : 0
PORTS                : ['Interface-1 UUID']   >>>> Session-1
Packet Capture Session
ID                   : 1
PORTS                : ['Interface-2 UUID']  >>>> Session-2
Packet Capture Session
ID                   : 2
PORTS                : []
Packet Capture Session
ID                   : 3
PORTS                : []
Packet Capture Session
ID                   : 4
PORTS                : []
Packet Capture Session
ID                   : 5
PORTS                : []

6. To verify the running tcpdump processes associated with the capture sessions, the following command can be run, from Root level
ps fax | grep tcpdump

The output will display tcpdump processes associated with the dedicated span interfaces (e.g., span-1 and span-2) for each capture session. For instance
root@edge:~# ps fax | grep tcpdump
 724956 pts/0    S+     0:00  |                                                               \_ grep --color=auto tcpdump
 724483 pts/2    S+     0:00  |               \_ /usr/bin/sudo /usr/sbin/tcpdump -i span-1 -n -e -P
 724484 pts/2    S+     0:00  |                   \_ /usr/sbin/tcpdump -i span-1 -n -e -P
 724834 pts/3    S+     0:00                  \_ /usr/bin/sudo /usr/sbin/tcpdump -i span-3 -n -e -P
 724835 pts/3    S+     0:00                      \_ /usr/sbin/tcpdump -i span-2 -n -e -P
root@edge:~#

With the above configuration, monitoring and capturing packets exclusively for each NSX-T interface can be performed, ensuring that they are not mirrored on a common span interface and enabling efficient analysis and troubleshooting of network traffic.


Example of configuring exclusive packet capture:

1. Define session and start capture.

edge01> set capture session 0 interface fp-eth2 direction dual
edge01> set capture session 0 file fp-eth2.pcap

edge01> set capture session 1 interface fp-eth1 direction dual
edge01> set capture session 1 file fp-eth1.pcap


2. Individual captures are listed for against each defined session.

edge01> get capture sessions
Tue Jun 17 2025 UTC 04:43:42.141
Packet Capture Session
ID                   : 0
PORTS                : ['fp-eth2']  >>>> Session-1

Packet Capture Session
ID                   : 1
PORTS                : ['fp-eth1']  >>>> Session-2

Packet Capture Session
ID                   : 2
PORTS                : []

Packet Capture Session
ID                   : 3
PORTS                : []

Packet Capture Session
ID                   : 4
PORTS                : []

Packet Capture Session
ID                   : 5
PORTS                : []


3. The saved session files can be seen as user admin and root using below respective commands.

edge01> get files
Tue Jun 17 2025 UTC 04:56:16.626
Directory of filestore:/

       -rw-      825878     Jun 17 2025 04:49:24 UTC  fp-eth2.pcap
       -rw-      164934     Jun 17 2025 04:49:28 UTC  fp-eth1.pcap

root@edge01:~# cd /var/vmware/nsx/file-store
root@edge01:/var/vmware/nsx/file-store# ls -l
total 1012
-rw-r--r-- 1 www-data www-data 164934 Jun 17 04:49 fp-eth1.pcap
-rw-r--r-- 1 www-data www-data 825878 Jun 17 04:49 fp-eth2.pcap

4. Delete the capture sessions using below command.

edge01> del capture session 0
edge01> del capture session 1


5. Verify using "get capture sessions" command. There are no active capture sessions running after deleting the active capture sessions.

edge01> get capture sessions
Tue Jun 17 2025 UTC 04:52:53.118
Packet Capture Session
ID                   : 0
PORTS                : []

Packet Capture Session
ID                   : 1
PORTS                : []

Packet Capture Session
ID                   : 2
PORTS                : []

Packet Capture Session
ID                   : 3
PORTS                : []

Packet Capture Session
ID                   : 4
PORTS                : []

Packet Capture Session
ID                   : 5
PORTS                : []