How to Obtain pcap For Windows Diego Cell Container
search cancel

How to Obtain pcap For Windows Diego Cell Container

book

Article ID: 298005

calendar_today

Updated On: 08-07-2024

Products

VMware Tanzu Application Service for VMs

Issue/Introduction

This article describes the  "how to" for capturing network traffic for a container located on a Windows Diego Cell.
To do this we will leverage a PowerShell utility called pktmon.

We will walk through an example together for an app named my-windows-app. 




Environment

Product Version: 2.7

Resolution

Step 1
Utilize the cf cli to obtain the app guid for the application you wish to capture network traffic for. 

$ cf app my-windows-app --guid
73892ec5-9195-45b2-b31f-3a3ad3d12dd3 

Step 2
SSH onto a linux Diego Cell and utilize cfdot to obtain the instance_guid of the instance you wish to capture network traffic for. The command we will use is actual-lrps and pipe into grep filtering on our app guid.

diego_cell/353bb41f-44bb-421a-b21d-c5d8dc539bfd:~$ cfdot actual-lrps | grep 73892ec5-9195-45b2-b31f-3a3ad3d12dd3

{"process_guid":"73892ec5-9195-45b2-b31f-3a3ad3d12dd3-bb89f06b-c42a-48b4-a26c-346e1b950379","index":0,"domain":"cf-apps","instance_guid":"629d2bf3-a368-4ec2-5dd4-3076","cell_id":"XXXXXXXX-XXXX-XXXX-XXXX-350d5d5c4ad7","address":"10.XXX.XXX.XXX","ports":[{"container_port":8080,"host_port":40000},{"container_port":2222,"host_port":40001}],"instance_address":"10.XXX.XXX.XXX","preferred_address":"HOST","crash_count":0,"state":"RUNNING","since":1640715912681759069,"modification_tag":{"epoch":"60b24134-64e5-4751-4bc1-e760d9534662","index":2},"presence":"ORDINARY"} 

We are interested in the following from the above output:

  • address - this is the Windows Diego Cell where the app instance is located. We will ssh onto this VM soon.

  • instance_guid - this is the instance guid for the specific instance of this application. We will use this soon.

address = 10.XXX.XXX.XXX
instance_guid = 629d2bf3-a368-4ec2-5dd4-3076 


Exit the linux Diego Cell.

Note - if you do not see any output when grepping for the app guid from cfdot output, please see this knowledge base article for an alternative method to find the instance_guid and address of host VM.

Step 3
Utilize the bosh cli to locate the Windows Diego Cell containing the application instance using the address obtained from step 2.

$ bosh -d pas-windows-38f6319ac59f2543b5e3 vms | grep 10.XXX.XXX.XXX

windows_diego_cell/XXXXXXXX-XXXX-XXXX-XXXX-350d5d5c4ad7 running az1 10.XXX.XXX.XXX vm-XXXXXXXX-XXXX-XXXX-XXXX-be12f249081f xlarge.disk true bosh-vsphere-esxi-windows2019-go_agent/2019.42 


Step 4
SSH onto this VM:

bosh -d pas-windows-38f6319ac59f2543b5e3 ssh windows_diego_cell/XXXXXXXX-XXXX-XXXX-XXXX-350d5d5c4ad7 


Step 5
Get into PowerShell:

bosh_060aa376621043c@WIN-UJPNRJNJE5L C:\Users\bosh_060aa376621043c>PowerShell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\bosh_060aa376621043c> 


Step 6
List available interfaces:

PS C:\Users\bosh_060aa376621043c> pktmon comp list

Network Adapters:
   Id MAC Address       Name
   -- -----------       ----
    4 00-50-56-B7-2E-97 vmxnet3 Ethernet Adapter
   30 00-15-5D-EF-87-AB vEthernet (629d2bf3-a368-4ec2-5dd4-3076)
   29 00-15-5D-EF-82-68 vEthernet (winc-nat)

PS C:\Users\bosh_060aa376621043c> 

We are interested in the interface that contains the instance_guid obtained from step 2.

The Interface for intance_guid 629d2bf3-a368-4ec2-5dd4-3076 has Id 30.

We will capture traffic on Id 30.

NOTE, depending on the version of pktmon in use, the output of "pktmon comp list" may look different than above. For example here is another variation of the output:

PS C:\Users\bosh_GUID> pktmon comp list
vSwitch winc-nat
    Hyper-V Virtual Ethernet Adapter #3 (629d2bf3-a368-4ec2-5dd4-3076)
        Id: 30 (NDIS), 66 (VMS)
        Driver: VmsProxyHNic.sys
        MAC Address: 00-15-5D-EF-87-AB
        ifIndex: 22

In the above example, the Id of interest is still 30.


Step 7
Start the network trace and specify the interface ID you wish to capture on. In this case, we will pass in 30 to the --comp flag:

PS C:\Users\bosh_6213a8613f6b43e> pktmon start --etw -c --comp 30

Logger Parameters:
    Logger name:        PktMon
    Logging mode:       Circular
    Log file:           C:\Users\bosh_6213a8613f6b43e\PktMon.etl
    Max file size:      512 MB
    Memory used:        128 MB

Collected Data:
    Packet counters, packet capture

Capture Type:
    All packets

Monitored Components:
    Id Driver       Name
    -- ------       ----
    30 vmswitch.sys vEthernet (629d2bf3-a368-4ec2-5dd4-3076)

Packet Filters:
    None 

This will start the capture and write output to a generated a file called PktMon.etl in the current working directory. In this example C:\Users\bosh_6213a8613f6b43e\PktMon.etl.

Feel free to navigate the pktmon help menu for flags that can be added if desired.

Step 8
After capturing the desired network traffic, stop the capture:

PS C:\Users\bosh_6213a8613f6b43e> pktmon stop
Flushing logs...
Log file: C:\Users\bosh_6213a8613f6b43e\PktMon.etl (No events lost) 


Step 9
Convert the etl file to pcap format. In this example, I name it with format of <instance_guid>.pcap:

PS C:\Users\bosh_6213a8613f6b43e> pktmon etl2pcap PktMon.etl -o 629d2bf3-a368-4ec2-5dd4-3076.pcap
Processing...

Packets total:       93
Packet drop count:   0
Packets formatted:   93
Formatted file:      629d2bf3-a368-4ec2-5dd4-3076.pcap 

 

Step 10
Exit Windows Diego Cell and utilize bosh cli to scp the pcap file to the current working directory:

$ bosh -d pas-windows-38f6319ac59f2543b5e3 scp  windows_diego_cell/XXXXXXXX-XXXX-XXXX-XXXX-350d5d5c4ad7:/Users/bosh_6213a8613f6b43e/629d2bf3-a368-4ec2-5dd4-3076.pcap .