The focus for this article is to provide advise and best practices when using the pktcap-uw tool when the ESXi hosts are heavily loaded.
You see the following messages on vmkernel.log (/var/log) and ESXi host disconnect from vCenter:
VMware vSphere ESXi 7.0
VMware vSphere ESXi 8.0
The pktcap-uw tool, needs to duplicate packets in memory, hold the packets and then send to user world, under high load this process can be costly to memory.
|
), for example:#pktcap-uw --uplink <vmnic> --capture UplinkSndKernel,UplinkRcvKernel --ng -o - | tcpdump-uw -enr - | grep <ip_address> | gzip -c - > /vmfs/volumes/<datastore>/<directory>/uplink-capture-<vmnix>.txt.gz &
# pktcap-uw --uplink <vmnic> --ip <ip_address> -o capturefile.pcap
#pktcap-uw --uplink vmnicX --snap 200
#kill $(lsof |grep pktcap-uw |awk '{print $1}'| sort -u)