Troubleshooting network issues by capturing and sniffing network traffic via tcpdump
search cancel

Troubleshooting network issues by capturing and sniffing network traffic via tcpdump

book

Article ID: 334036

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

The following describes the basic concepts of monitoring network traffic:

  • To troubleshoot many network related issue, the tcpdump can be utilized to capture TCP/IP traffic.
  • Analyzing network traffic requires advance understanding of TCP/IP stack protocol to make sense of hidden TCP/IP messages captured.

This article emphasizes capturing and sniffing TCP/IP network traffic on ESX host.

The ESX 3.x Service Console is equipped with the utilities esxnet-support and tcpdump for network troubleshooting.
To capture TCP/IP packets in and out of an ESX host:
  • esxnet-support: This ESX script utilizes the tcpdump utility to create sniffer interface and capture ESX network traffic and generate tcpdump.gz file, to be analyzed for later.
  • tcpdump: This utility is shipped with ESX and runs at the Service Console (SC) TCP/IP stack. tcpdump is a command line tool used at root access level of ESX console connection for real time capturing to be displayed on the console screen.


Symptoms:

The following ESX network issues can be resolved by sniffing TCP/IP messages:

  • VMware VMotion fails at 10%
  • Connection fails to certain host and networks
  • Sessions to network services fail
  • Analyzing bandwidth and network services communication

cannot-vmotion connect-esx connection-fails-esx connection-fails-network connect-vm network-connection network-performance

Environment

VMware ESX Server 3.0.x

Resolution

Note: esxnet-support creates a dedicated portgroup and interface, but due to script errors, it may fail. If it fails, you must manually create a port group with proper security settings to accommodate esxnet-support script execution. For more information, see Capturing virtual switch traffic with tcpdump and other utilities (1000880).
The following describes command line utilization of esxnet-support:
  1. Run the following command:

    esxnet-support trace –z –p [port_name]

    Note: VMware recommends setting up a sniffer port on the vSwitch.
  2. Create a Service console port and name it cos_tcpdump .
  3. Run the following command as root on the ESX console:

    esxnet-support trace –z –p cos_tcpdump

    Press Ctrl+C to stop sniffer script.

    Note: This generates a dump file in the directory it was executed.
  4. The script esxnet-support generates the *.tcpdump.gz file. Utilize gunzip to extract the *.tcpdump.gz file.

  5. Use Network Protocol Analyzer utilities (such as Wireshark) to open and view the tcpdump file.

    Note: VMware does not endorse or recommend any particular third party software utility, nor is the list above meant to be exhaustive.
  6. Run the following command to view tcpdump from the console command line:

    tcpdump –i [interface name]


Additional Information



Powered by Wolken Software