To capture the network traces in ESXi 4.x and ESXi 5.x, you can use the
tcpdump-uw command in the Tech Support Mode.
Note: In ESXi 5.x, Tech Support Mode is replaced by ESXi Shell. For more information, see
Using ESXi Shell in ESXi 5.0 and 5.1 (2004746).
The tcpdump-uw command is based on the standard tcpdump utility. Network traces are captured from the perspective of a network interface. The examples in this article use vmk0, though any VMKernel network interface could be used.
Capturing network traces with tcpdump-uw
- To list the vmkernel interfaces, use the esxcfg-vmknic command with the -l option:
# esxcfg-vmknic -l
- To display packets on the vmkernel interface vmk0, use the tcpdump-uw command with the -i option:
# tcpdump-uw -i vmk0
Note:
- To capture the entire packet, use the tcpdump-uw command with the -s option with a value of 1514 for normal traffic and 9014 if Jumbo Frames are enabled.
Normal traffic: # tcpdump-uw -i vmk0 -s 1514
Jumbo Frames enabled: # tcpdump-uw -i vmk0 -s 9014 -B 9
Note: By default, tcpdump-uw can only capture a maximum of 8138 bytes due to buffer constraints. The -B 9 option increases the buffer to allow the capture of up to 9014 bytes.
- To display all of the packets on vmk0 with verbose detail, use the tcpdump-uw command with the -vvv option:
# tcpdump-uw -i vmk0 -s 1514 -vvv
Note: Refer the help page for tcpdump-uw command for more -v options.
- To display only the TCP packets on vmk0, use the tcp option with the tcpdump-uw command.
# tcpdump-uw -i vmk0 -s 1514 tcp
- To see traffic to/from only a single IP address, you can use the host option:
# tcpdump-uw -i vmk0 -s 1514 host x.x.x.x
- To avoid seeing unwanted traffic types in the tcpdump-uw output, use the not option. For example, to filter out DNS and SSH traffic, use the following command:
# tcpdump-uw -i vmk0 -s 1514 port not 22 and port not 53
Note: This is useful when doing a packet capture on a VMkernel interface when that same interface is also being used for an active SSH session.
- To save the dump in pcap format for later use with Wireshark, use the traffic.pcap option.
# tcpdump-uw -i vmk0 -s 1514 -w traffic.pcap
- If the trace is running for long time, you can split the trace pcap file to chunks of desired size using the-C option.
# tcpdump-uw -i vmk0 -s 1514 -C 100M -w /var/tmp/test.pcap
- To limit the log files to a specified number, you can use the -W option. You can use this option if a trace must be set running for a long period of time, waiting for an even to occur.
For example:
# tcpdump-uw -i vmk0 -s 1514 -C 100M -W 10 -w /var/tmp/test.pcap
This command creates 10 trace files of size 100MB each. This ensures that you do not run out of space on ESX.
Note: This option has the same effect of rotating the log files.