This article describes the "how to" for capturing network traffic for a container located on a Windows Diego Cell.
To do this we will leverage a PowerShell utility called pktmon.
We will walk through an example together for an app named my-windows-app.
Step 1
Utilize the cf cli to obtain the app guid for the application you wish to capture network traffic for.
$ cf app my-windows-app --guid 73892ec5-9195-45b2-b31f-3a3ad3d12dd3
Step 2
SSH onto a linux Diego Cell and utilize cfdot to obtain the instance_guid of the instance you wish to capture network traffic for. The command we will use is actual-lrps and pipe into grep filtering on our app guid.
diego_cell/353bb41f-44bb-421a-b21d-c5d8dc539bfd:~$ cfdot actual-lrps | grep 73892ec5-9195-45b2-b31f-3a3ad3d12dd3 {"process_guid":"73892ec5-9195-45b2-b31f-3a3ad3d12dd3-bb89f06b-c42a-48b4-a26c-346e1b950379","index":0,"domain":"cf-apps","instance_guid":"629d2bf3-a368-4ec2-5dd4-3076","cell_id":"XXXXXXXX-XXXX-XXXX-XXXX-350d5d5c4ad7","address":"10.XXX.XXX.XXX","ports":[{"container_port":8080,"host_port":40000},{"container_port":2222,"host_port":40001}],"instance_address":"10.XXX.XXX.XXX","preferred_address":"HOST","crash_count":0,"state":"RUNNING","since":1640715912681759069,"modification_tag":{"epoch":"60b24134-64e5-4751-4bc1-e760d9534662","index":2},"presence":"ORDINARY"}
We are interested in the following from the above output:
address - this is the Windows Diego Cell where the app instance is located. We will ssh onto this VM soon.
instance_guid - this is the instance guid for the specific instance of this application. We will use this soon.
address = 10.XXX.XXX.XXX instance_guid = 629d2bf3-a368-4ec2-5dd4-3076
Exit the linux Diego Cell.
Note - if you do not see any output when grepping for the app guid from cfdot output, please see this knowledge base article for an alternative method to find the instance_guid and address of host VM.
Step 3
Utilize the bosh cli to locate the Windows Diego Cell containing the application instance using the address obtained from step 2.
$ bosh -d pas-windows-38f6319ac59f2543b5e3 vms | grep 10.XXX.XXX.XXX windows_diego_cell/XXXXXXXX-XXXX-XXXX-XXXX-350d5d5c4ad7 running az1 10.XXX.XXX.XXX vm-XXXXXXXX-XXXX-XXXX-XXXX-be12f249081f xlarge.disk true bosh-vsphere-esxi-windows2019-go_agent/2019.42
Step 4
SSH onto this VM:
bosh -d pas-windows-38f6319ac59f2543b5e3 ssh windows_diego_cell/XXXXXXXX-XXXX-XXXX-XXXX-350d5d5c4ad7
Step 5
Get into PowerShell:
bosh_060aa376621043c@WIN-UJPNRJNJE5L C:\Users\bosh_060aa376621043c>PowerShell Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\Users\bosh_060aa376621043c>
Step 6
List available interfaces:
PS C:\Users\bosh_060aa376621043c> pktmon comp list Network Adapters: Id MAC Address Name -- ----------- ---- 4 00-50-56-B7-2E-97 vmxnet3 Ethernet Adapter 30 00-15-5D-EF-87-AB vEthernet (629d2bf3-a368-4ec2-5dd4-3076) 29 00-15-5D-EF-82-68 vEthernet (winc-nat) PS C:\Users\bosh_060aa376621043c>
We are interested in the interface that contains the instance_guid obtained from step 2.
The Interface for intance_guid 629d2bf3-a368-4ec2-5dd4-3076 has Id 30.
We will capture traffic on Id 30.
NOTE, depending on the version of pktmon in use, the output of "pktmon comp list" may look different than above. For example here is another variation of the output:
PS C:\Users\bosh_GUID> pktmon comp list vSwitch winc-nat Hyper-V Virtual Ethernet Adapter #3 (629d2bf3-a368-4ec2-5dd4-3076) Id: 30 (NDIS), 66 (VMS) Driver: VmsProxyHNic.sys MAC Address: 00-15-5D-EF-87-AB ifIndex: 22
In the above example, the Id of interest is still 30.
Step 7
Start the network trace and specify the interface ID you wish to capture on. In this case, we will pass in 30 to the --comp flag:
PS C:\Users\bosh_6213a8613f6b43e> pktmon start --etw -c --comp 30 Logger Parameters: Logger name: PktMon Logging mode: Circular Log file: C:\Users\bosh_6213a8613f6b43e\PktMon.etl Max file size: 512 MB Memory used: 128 MB Collected Data: Packet counters, packet capture Capture Type: All packets Monitored Components: Id Driver Name -- ------ ---- 30 vmswitch.sys vEthernet (629d2bf3-a368-4ec2-5dd4-3076) Packet Filters: None
This will start the capture and write output to a generated a file called PktMon.etl in the current working directory. In this example C:\Users\bosh_6213a8613f6b43e\PktMon.etl.
Feel free to navigate the pktmon help menu for flags that can be added if desired.
Step 8
After capturing the desired network traffic, stop the capture:
PS C:\Users\bosh_6213a8613f6b43e> pktmon stop Flushing logs... Log file: C:\Users\bosh_6213a8613f6b43e\PktMon.etl (No events lost)
Step 9
Convert the etl file to pcap format. In this example, I name it with format of <instance_guid>.pcap:
PS C:\Users\bosh_6213a8613f6b43e> pktmon etl2pcap PktMon.etl -o 629d2bf3-a368-4ec2-5dd4-3076.pcap Processing... Packets total: 93 Packet drop count: 0 Packets formatted: 93 Formatted file: 629d2bf3-a368-4ec2-5dd4-3076.pcap
Step 10
Exit Windows Diego Cell and utilize bosh cli to scp the pcap file to the current working directory:
$ bosh -d pas-windows-38f6319ac59f2543b5e3 scp windows_diego_cell/XXXXXXXX-XXXX-XXXX-XXXX-350d5d5c4ad7:/Users/bosh_6213a8613f6b43e/629d2bf3-a368-4ec2-5dd4-3076.pcap .