When initiating packet captures on multiple NSX-T interfaces (<Interface-1> and <Interface-2>) from two separate SSH sessions, it's possible for both sessions to end up using the same default span interface, "span0." As a result, the packets from both interfaces will be mirrored and displayed on that single span interface. By default, the NSX-T system allows a single span interface to handle multiple interfaces, which may lead to overlapping packet captures and mirrored packets from different interfaces on the same span.

To ensure exclusive packet captures for each interface and avoid displaying mirrored packets, it's necessary to configure dedicated spans for individual interfaces. This KB article provides step-by-step instructions on how to assign separate spans for each NSX-T interface to achieve exclusive packet captures.

VMware NSX-T

Steps to Configure Exclusive Packet Capture:
1. Open two separate SSH sessions to the NSX-T Edge Node where you want to perform packet captures.
2. In the first SSH session, run the following command to start capturing packets on <Interface-1> and direct them to span-1:
set capture session 1 <Interface-1> dir dual
3. In the second SSH session, run the following command to start capturing packets on <Interface-2> and direct them to span-2:
set capture session 2 <Interface-2> dir dual
Note: By explicitly specifying the capture session number (1 and 2), you are ensuring that each interface has its own dedicated span for capturing packets.
4. The system will create separate span interfaces (span-1 and span-2) for each capture session, and each interface will have its exclusive span for capturing packets.
5. To confirm that the packet captures are exclusive for each interface, you can use the following command in a third SSH session:
get capture session
If both interfaces (<Interface-1> and <Interface-2>) are listed under separate capture sessions (e.g., session 1 and session 2), it indicates that they are capturing packets exclusively on their respective spans, and the mirroring of packets on "span0" has been avoided. For instance

edge> get capture session
Packet Capture Session
ID                   : 0
PORTS                : ['Interface-1 UUID']   >>>> Session-1
Packet Capture Session
ID                   : 1
PORTS                : ['Interface-2 UUID']  >>>> Session-2
Packet Capture Session
ID                   : 2
PORTS                : []
Packet Capture Session
ID                   : 3
PORTS                : []
Packet Capture Session
ID                   : 4
PORTS                : []
Packet Capture Session
ID                   : 5
PORTS                : []

6. To verify the running tcpdump processes associated with the capture sessions, you can use the following command, from Root level
ps fax | grep tcpdump

The output will display tcpdump processes associated with the dedicated span interfaces (e.g., span-1 and span-2) for each capture session. For instance
root@edge:~# ps fax | grep tcpdump
 724956 pts/0    S+     0:00  |                                                               \_ grep --color=auto tcpdump
 724483 pts/2    S+     0:00  |               \_ /usr/bin/sudo /usr/sbin/tcpdump -i span-1 -n -e -P
 724484 pts/2    S+     0:00  |                   \_ /usr/sbin/tcpdump -i span-1 -n -e -P
 724834 pts/3    S+     0:00                  \_ /usr/bin/sudo /usr/sbin/tcpdump -i span-3 -n -e -P
 724835 pts/3    S+     0:00                      \_ /usr/sbin/tcpdump -i span-2 -n -e -P
root@edge:~#

With the above configuration, you can now monitor and capture packets exclusively for each NSX-T interface, ensuring that they are not mirrored on a common span interface and enabling efficient analysis and troubleshooting of network traffic.