This article provides information about capturing ESX network traffic.

There are two ways to capture traffic in an ESX environment:

• On the Service Console level:
  
  ESX ships with the tcpdump utility. For more information on usage, see Troubleshooting network issues by capturing and sniffing network traffic via tcpdump (1004090).
  
  
• On the guest operating system (GOS) level:
  
  Depending on the operating system type, different utilities may be available to download for capturing network traffic.

Monitoring virtual switch traffic using tcpdump or other packet-capture utilities requires a port group with non-default security policies set.

Attempting to capture traffic without adjusting the security policies results in silent failure of the capture operation.

VMware ESX 4.1.x
VMware ESX 4.0.x
VMware ESX Server 3.5.x
VMware ESX Server 3.0.x

These steps describe setting up a vSwitch and/or a port group in promiscuous mode for tcpdump:

1. To monitor traffic via VMware Service Console (SC), a port group and a vswif interface with security settings modified to promiscuous mode accept is required for capturing.
2. To monitor traffic via the virtual machine, the virtual machine's virtual NIC must be set to promiscuous mode accept, however this step is often accomplished by the capturing utility installed on guest operating systems. The Virtual Switch (vSwitch) and port group security settings must also be modified to accept all traffic ( promiscuous mode accept).
3. To capture all traffic of the Virtual Switch, the vSwitch security setting is set to promiscuous mode accept.
4. To capture only the traffic of a port group, only that particular port group security setting is modified to promiscuous mode accept.
5. A layer 3 IP address is used by the capturing utility, therefore you must have a Service Console with an IP address in the desired subnet for capturing. This also applies to guest operating systems.
6. To monitor VMkernel Traffic, place a Service Console on the VMkernel virtual switch, and follow the procedure below.

These steps must be applied as a whole if the environment requires total dedicated virtual switch, port group, and service console, or can be used as reference to modify existing network settings. To modify only the port group, go to step 3 above.

Create a new service console portgroup named COS_tcpdump (or another name which makes sense in your environment):

1. Connect to the ESX host using VI Client / vSphere Client.
2. Click the ESX host, then click the Configuration tab.
3. Click Networking under Hardware.
4. Click Add Networking, which is located at the top right. The Add Network Wizard window appears.
5. Click Service console, then click Next.
6. Select Create a virtual switch and select the NIC to be associated with the virtual switch and click Next.
7. Enter a Network Label for the server console (in this example, COS_tcpdump), and provide a VLAN ID (optional).
8. On ESX 4.x, click Next.
   
9. Assign IP information using DHCP or manually by entering an IP Address and Subnet Mask, then click Next.
   
10. Click Finish to create the switch.
11. Click Properties next to the new virtual switch to edit its properties.
12. Highlight the newly created Service Console and click Edit to modify its properties.
13. In the vSwitch Properties window, click the Security tab and change all three Policy exceptions to Accept and click OK.
14. Close the Properties window. You are ready to run tcpdump on this vswif interface.

Additional Information

To capture tcpdump traffic for ESXi hosts, see Capturing a network trace in ESXi using Tech Support Mode or ESXi Shell (1031186).

Additional Information

For translated versions of this article, see:

• Español: Capturar el tráfico de conmutador virtual con tcpdump y otras utilidades (2065633)
  
• 日本語: tcpdump などのユーティリティを使用して仮想スイッチのトラフィックをキャプチャする (2076750)
  
• 简体中文: 使用 tcpdump 和其他实用程序捕获虚拟交换机流量 (2077556)