Search the VMware Knowledge Base (KB)
View by Article ID

Using the pktcap-uw tool in ESXi 5.5 and later (2051814)

  • 19 Ratings

Purpose

The pktcap-uw tool is an enhanced packet capture and analysis tool that can be used in place of the legacy tcpdump-uw tool. The pktcap-uw tool is included by default in ESXi 5.5 and later versions. This article provides information on using the pktcap-uw tool for packet capture and analysis.

Note: The tcpdump-uw tool can only capture packets/frames at the vmkernel interface level and cannot capture frames at the uplinks, or vSwitch, or virtual port levels. The new pktcap-uw tool allows traffic to be captured at all points within the hypervisor for greater flexibility and improved troubleshooting.

Resolution

Using the pktcap-uw tool

Note:
  1. pktcap is unidirectional and defaults to inbound direction only. 
  2. Direction of traffic is specified using --dir 0 for inbound and --dir 1 for outbound but inbound is assumed.
  3. Two (or more) separate traces can be run in parallel but need to be merged later in wireshark.

  • To obtain basic help and syntax information, use the -h option:

    # pktcap-uw -h |more

  • To view a live capture of a vmkernel ports traffic:

    # pktcap-uw --vmk vmkX

    For example, to capture frames/packets on vmk0

    # pktcap-uw --vmk vmk0

  • To view a live capture of a specific physical network card on the host vmnic:

    # pktcap-uw --uplink vmnicX

    For example, to capture frames/packets on vmnic7

    # pktcap-uw --uplink vmnic7

  • To view a live capture of a particular vSwitch port for a virtual machine, use the --switchport option:

    # pktcap-uw --switchport switchportnumber

    For example, to capture frames or packets to and from a virtual machine connected to dvSwitchport 8:

    # pktcap-uw --switchport 8

  • To capture the output to a file, use -o option:

    # pktcap-uw --vmk vmk# -o file.pcap

    For example, to capture the packets from vmk0 and save to test.pcap file under /tmp directory:

    # pktcap-uw --vmk vmk0 -o /tmp/test.pcap

    Note: When you are using the -o option, output is in pcap format regardless of other settings.

    Note: To end the capture, ensure to use Ctrl-C multiple times instead of Ctrl-Z because Ctrl-Z may leave background processes running that may prevent subsequent pktcap-uw commands from running and report the error:

    error: Can't create the session, Exiting

Advanced Usage: trace multiple ports at the same time

As an example, trace a particular vSwitch port and its associated uplink at the same time:

  1. To get the vSwitch port number, run this command:

    net-stats -l
  2. Identify and make a note these parameters:

    Port ID returned by the esxtop command —  --switchport 50331665

    vmnic2 physical port that you want to trace —  --uplink vmnic2 -

    location of the output pcap file —  /tmp/vmnic2.pcap

  3. Run the pktcap-uw command to capture packets at both points simultaneously:

    pktcap-uw --switchport 50331665 -o /tmp/50331665.pcap & pktcap-uw --uplink vmnic2 -o /tmp/vmnic2.pcap &

    Note: The command shell we assume here is the Bash shell. Therefore, if you have more than one uplink on the vswitch, you just add the command after the ending & and add a & at the end.

  4. You can stop pktcap-uw tracing with the kill command:

    kill $(lsof |grep pktcap-uw |awk '{print $1}'| sort -u)

  5. Run this command to check that all pktcap-uw traces are stopped:

    lsof |grep pktcap-uw |awk '{print $1}'| sort -u

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 19 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 19 Ratings
Actions
KB: