VMware
 

Knowledge Base

Search the Knowledge Base:
Products:
Search In:
 

Capturing virtual switch traffic with tcpdump and other utilities

Details

The following describes ESX network traffic capture at host and GOS:
 
There are two ways to capture traffic in ESX environment:
  1. Service Console level: ESX is shipped with TCPDUMP utility.

    Refer to article     Troubleshooting network issues by capturing and sniffing network traffic(1004090)

  2. Guest Operating system (GOS) level: Depending on operating system type different utilities may be available to download for capturing network traffic.

Monitoring virtual switch traffic using TCPDUMP or other packet-capture utilities requires a port group with non-default security policies set.

Attempting to capture traffic without adjusting the security policies result in silent failure of the capture operation.

Solution

The following describes setting up a vSwitch or/and a port group in promiscuous mode for TCPDUMP:

  1. To monitor traffic via VMware Service Console (SC) a port group and a vswif interface with security setting modified to (promiscuous mode accept) is required for capturing.
  2. To monitor traffic via the virtual machine the virtual machine’s virtual NIC is also required to be set promiscuous mode accept, however this step is accomplish often by the capturing utility installed on guest operating systems. The Virtual Switch (vSwitch) and port group security setting are also required to be modified to accept all traffic (promiscuous mode accept).
  3. To capture all traffic of the Virtual Switch the the vSwitch security settings is set to promiscuous mode accept.
  4. To capture only the traffic of a port group, only that particular port group security settings is modified to promiscuous mode accept.
  5. A layer 3 IP address is used by the capturing utility, that is why one needs Service Console with IP address in the desired subnet for capturing. This also applies to guest operating systems.
  6. To monitor VMkernel Traffic place a service console on VMkernel virtual switch, and utilize the below technique.

The following steps must be applied as a whole if the environment requires total dedicated virtual switch, port group, and service console or can be used as reference to modify exciting network setting. Go to step 3 of these instruction for just modifying the port group:

  1. Create a new service console portgroup named COS_tcpdump (or whatever name makes sense to you).
    1. Connect to the ESX Server host using VI Client.
    2. From the main Networking panel, click Add Networking and choose Service Console. (See Figure 1.)
    3. Click Next.

      Figure 1:


    4. Select Create a virtual switch. (See Figure 2.)

      Figure 2:
    5. Click Next
    6. Assign IP information accordingly. (See Figure 3.)

      Figure 3:


    7. Click Next and Finish.

  2. Open the properties for this port group and click Edit. (See Figure 4 and Figure 5.)

    Figure 4:



    Figure 5:


  3. Click the Security tab and mark all three policy exceptions as Accept. Click OK. (See Figure 6.)

    Figure 6:


  4. Close the Properties edit panel. You are ready to run tcpdump on this vSwif.

Note: The known problem referenced as "tcpdump captures only outbound traffic when there are multiple uplinks per portgroup" is resolved in VMware ESX 3.0.2.

Feedback

Rating: 1 - Lowest 2 3 4 5 - Highest (1 Ratings)   

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (2000 or fewer characters)
Submit
Rating: 1 - Lowest 2 3 4 5 - Highest (1 Ratings)   
Actions
  • KB Article: 1000880
  • Updated: Aug 14, 2009
  • Products:
    VMware ESX
  • Product Versions:
    VMware ESX 3.0.x
    VMware ESX 3.5.x