Using the pktcap-uw tool in ESXi 5.5 and later

Using the pktcap-uw tool in ESXi 5.5 and later

search cancel

Using the pktcap-uw tool in ESXi 5.5 and later

book

Article ID: 341568

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

The pktcap-uw tool is an enhanced packet capture and analysis tool that can be used in place of the legacy tcpdump-uw tool. The pktcap-uw tool is included by default in ESXi 5.5 and later versions. This article provides information on using the pktcap-uw tool for packet capture and analysis.

Note: The tcpdump-uw tool can only capture packets/frames at the vmkernel interface level and cannot capture frames at the uplinks, or vSwitch, or virtual port levels. The new pktcap-uw tool allows traffic to be captured at all points within the hypervisor for greater flexibility and improved troubleshooting.

Environment

VMware vSphere ESXi 6.0
VMware vSphere ESXi 5.5
VMware vSphere ESXi 6.7
VMware vSphere ESXi 6.5

Resolution

Using the pktcap-uw tool

Note:

pktcap defaults to inbound traffic only.
In vSphere 6.5 and earlier, specify the direction of traffic using --dir 0 for inbound and --dir 1 for outbound. You can’t specify traffic going both ways at the same time. However, in vSphere 6.7 and later, you can specify the direction of traffic using --dir 0 for inbound, --dir 1 for outbound, or --dir 2 for both.
Two (or more) separate traces can be run in parallel but need to be merged later in wireshark.

To obtain basic help and syntax information, use the -h option:

# pktcap-uw -h |more
To view a live capture of a vmkernel ports traffic:

# pktcap-uw --vmk vmkX

For example, to capture frames/packets on vmk0:

# pktcap-uw --vmk vmk0
To view a live capture of a specific physical network card on the host vmnic:

# pktcap-uw --uplink vmnicX

For example, to capture frames/packets on vmnic7:

# pktcap-uw --uplink vmnic7
To view a live capture of a particular vSwitch port for a virtual machine, use the --switchport option:

# pktcap-uw --switchport switchportnumber

For example, to capture frames or packets to and from a virtual machine connected to dvSwitchport 8:

# pktcap-uw --switchport 8
To capture the output to a file, use -o option:

# pktcap-uw --vmk vmk# -o file.pcap

For example, to capture the packets from vmk0 and save to test.pcap file under /tmp directory:

# pktcap-uw --vmk vmk0 -o /tmp/test.pcap

Notes:
- When you are using the -o option, output is in pcap format regardless of other settings.
- To specify how many seconds pktcap-uw will run, use -G <seconds>.
- To specify pktcap-uw to run only until the output is a certain file size (in megabytes), use -C <file_size>.
- To end the capture, ensure to use Ctrl-C multiple times instead of Ctrl-Z because Ctrl-Z may leave background processes running that may prevent subsequent pktcap-uw commands from running and report the error:
  
  error: Can't create the session, Exiting

Advanced Usage: trace multiple ports at the same time

As an example, trace a particular vSwitch port and its associated uplink at the same time:

To get the vSwitch port number, run this command:

net-stats -l
Identify and make a note these parameters:

Port ID returned by the esxtop command — --switchport 50331665

vmnic2 physical port that you want to trace — --uplink vmnic2 -

location of the output pcap file — /tmp/vmnic2.pcap
Run the pktcap-uw command to capture packets at both points simultaneously:

pktcap-uw --switchport 50331665 -o /tmp/50331665.pcap & pktcap-uw --uplink vmnic2 -o /tmp/vmnic2.pcap &

Note: The command shell we assume here is the Bash shell. Therefore, if you have more than one uplink on the vswitch, you just add the command after the ending & and add a & at the end.
You can stop pktcap-uw tracing with the kill command:

kill $(lsof |grep pktcap-uw |awk '{print $1}'| sort -u)
Run this command to check that all pktcap-uw traces are stopped:

lsof |grep pktcap-uw |awk '{print $1}'| sort -u

Additional Information

VMware Skyline Health Diagnostics for vSphere - FAQ
ESXi 5.5 以降での pktcap-uw ツールの使用
在 ESXi 5.5 及更高版本中使用 pktcap-uw 工具

Feedback

thumb_up Yes

thumb_down No