Perform ARP packet capture at vmkernal and vmnic adapters.
Article ID: 411437
Updated On:
Products
VMware vSphere ESXi
Issue/Introduction
This is a guide introducing how to capture ARP packet at vmkernal and vmnic adapters.
Resolution
By executing below commands, ARP packet should be captured on vmk or vmnic.
vmkernel adapter
tcpdump-uw -n -i vmkX arpExample
[root@esxi:~] tcpdump-uw -n -i vmk0 arp
tcpdump-uw: verbose output suppressed, use -v[v]... for full protocol decode
listening on vmk0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
00:50:35.927892 ARP, Request who-has <IP-ARP-Requested-For> tell <vmk-IP>, length 46
vmnic adapter
pktcap-uw --uplink vmnicX --dir 2 -o - | tcpdump-uw -enr - | grep -i arpExample
[root@esxi:~] pktcap-uw --uplink vmnic0 --dir 2 -o - | tcpdump-uw -enr - | grep -i arp
The name of the uplink is vmnic0.
pktcap: The output file is -.
pktcap: No server port specifed, select XXXXX as the port.
pktcap: Local CID X.
pktcap: Listen on port XXXXX.
pktcap: Main thread: XXXXXXXXXXXX.
pktcap: Recv Thread: XXXXXXXXXXXX.
pktcap: Accept...
pktcap: Vsock connection from port XXXX cid X.
pktcap: Dump Thread: XXXXXXXXXXXXX.
pktcap: The output file format is pcapng.
reading from file -, link-type EN10MB (Ethernet), snapshot length 65535
00:45:30.438498 XX:XX:XX:XX:XX:XX > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has <IP-ARP-Requested-For> tell <vmk-IP>, length 46
Feedback
Yes
No
Powered by
