Collecting network packets using the lightweight PacketCapture
search cancel

Collecting network packets using the lightweight PacketCapture

book

Article ID: 312012

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

This article describes the PacketCapture tool and steps to efficiently collect network packets. This tool is available starting from vSphere 6.5 U2 and above versions.

Resolution

  1. SSH to the VMware ESXi or vCenter Server Appliance virtual machine.
  2. Enable PacketCapture in the rhttpproxy config.xml file.
    • Here is the default installation path of the rhttpproxy configuration file:
On vCSA: /etc/vmware-rhttpproxy/config.xml
On ESXi : /etc/vmware/rhttpproxy/config.xml
Note: Since ESXi 8.0U1 the service configuration is stored in a special config store database and is accessible using configstorecli tool. To edit the configuration, refer to: KB 89489
 
            The possible PacketCapture configuration options and their description:
              <config>
           <packetCapture>
              <enabled>true</enabled>
               <!-- On startup delete all pcap and pcap.gz files that were last modified more than X hours ago and are not part of the current process. -->
                                <!-- The default value is 72 hours --> 
               <validity>72</validity>
                      
               <!-- Controls where rolling pcap files are stored --> 
                               <!-- The directory must exist and should be accessible --> 
              <directory>/tmp</directory>
                      
               <!-- Size(in bytes) of captured data of each pcap file before rolling over to the next. -->
                                <!-- Storing 50 MB of captured data in a pcap file requires a pcap file of about ~67.5 MB. -->
                                <!-- The minimum amount is 5MB on vCSA and 2.5MB on ESXi -->
               <maxDataInPcapFile>52428800</maxDataInPcapFile>
                     
               <!-- Number of pcap files to rotate amongst -->  
                                 <!-- The minimum number is 2 -->
               <maxPcapFilesCount>5</maxPcapFilesCount>
            </packetCapture>
         </config>                                                             
  1. Execute the following command to tell the rhttpproxy service to reload its config file:
# kill -SIGHUP `pidof rhttpproxy`
  1. You should now see a new .pcap file in the folder /tmp (or if you configured a different destination folder in step 2, in this one. If there is no .pcap file, restart the rhttpproxy service by running:
            On vCSA:
# vmon-cli -r rhttpproxy
On ESXi:
# /etc/init.d/rhttpproxy restart
  1. When the traffic is sniffed during the network problem, disable the PacketCapture.
To disable the PacketCapture,
  • Change the rhttpproxy config.xml file.
                <config>
           <packetCapture>
           <enabled>false</enabled>
  • Reload the configuration file, by using the command mentioned in Step 3.
        6. Collect the support bundle.
 Collect the created pcap and pcap.gz files in case they were not produced in the default directory.           
 By default they are produced in:

On ESXi: /var/run/log
On vCSA: /var/log/vmware/rhttpproxy
 
Note: Interfaces on which rhttpproxy captures packets are configurable through the xml array definition 'config/packetCapture/interface'. It could overwrite each of the PacketCapture's options configured in the rhttpproxy config.xml file.
 
By default:
On vCSA rhttpproxy captures traffic on the any interface.
On ESXi rhttpproxy captures traffic on both the 'vmk0' and 'lo0' interfaces.
 
         7.Copy the pcap and pcap.gz files to a system that runs a network analyzer tool, such as Wireshark                   and examine the packet details.
Note: Before analyzing the ESXi packet details, fix frame size meta data as ESXi packets are truncated by design. To fix frame size, use a third party tool such as TraceWrangler.
  • Open the pcap files using the tool.
  • Edit files by selecting "Fix frame size meta data" and "Also recalculate wire size when not hard sliced" under Packet list option. 
  • Click on Run to save the new files.
  • Analyze the network using the newly generated pcap files.
Disclaimer: VMware is not responsible for the reliability of any data, opinions, advice, or statements made on third-party websites. Inclusion of such links does not imply that VMware endorses, recommends, or accepts any responsibility for the content of such sites.


Additional Information

Impact/Risks:
PacketCapture collects and evaluate big amount of data which may consume a high CPU and disk usage.

Powered by Wolken Software