Monitor packets that are exchanged between a VMkernel adapter and a virtual switch by using the pktcap-uw utility.

You can capture packets at a certain capture point in the flow between a virtual switch and a VMkernel adapter. You can also determine a capture point by traffic direction with regard to the switch and proximity to the packet source or destination. For information about supported capture points, see Capture Points of the pktcap-uw Utility.

1

(Optional) Find the name of the VMkernel adapter that you want to monitor in the VMkernel adapter list.

In the vSphere Web Client, from the Networking list on the Manage tab for the host, select VMkernel adapters.

In the ESXi Shell to the host, to view a list of the physical adapters, run the following console command:

esxcli network ip interface list

Each VMkernel adapter is represented as vmkX, where X is the sequence number that ESXi assigned to the adapter.

2

In the ESXi Shell to the host, run the pktcap-uw command with the --vmk vmkX argument and with options to monitor packets at a particular point, filter captured packets and save the result to a file.

pktcap-uw --vmk vmkX [--capture capture_point|--dir 0|1 --stage 0|1]  [filter_options] [--outfile pcap_file_path [--ng]] [--count number_of_packets]

where the square brackets [] enclose the options of the pktcap-uw --vmk vmkX command and the vertical bars | represent alternative values.

You can replace the --vmk vmkX option with --switchport vmkernel_adapter_port_ID, where vmkernel_adapter_port_ID is the PORT-ID value that the network panel of the esxtop utility displays for the adapter.

If you run the pktcap-uw --vmk vmkX command without options, you obtain the content of packets that are leaving the VMkernel adapter.

a

To check transmitted or received packets at a specific place and direction, use the --capture option, or combine the values of the --dir and --stage options.

pktcap-uw Command Options

Goal

--dir 1 --stage 0

Monitor packets immediately after they leave the virtual switch.

--dir 1

Monitor packets immediately before they enter the VMkernel adapter.

--dir 0 --stage 1

Monitor packets immediately before they enter the virtual switch.

b

Use a filter_options to filter packets according to source and destination address, VLAN ID, VXLAN ID, Layer 3 protocol, and TCP port.

For example, to monitor packets from a source system that has IP address 192.168.25.113, use the --srcip 192.168.25.113 filter option.

c

Use options to save the contents of each packet or the contents of a limited number of packets to a .pcap or .pcapng file.

To save packets to a .pcap file, use the --outfile option.

To save packets to a .pcapng file, use the --ng and --outfile options.

You can open the file in a network analyzer tool such as Wireshark.

By default, the pktcap-uw utility saves the packet files to the root folder of the ESXi file system.

d

Use the--count option to monitor only a number of packets.

3

If you have not limited the number of packets by using the --count option, press Ctrl+C to stop capturing or tracing packets.

If the contents of the packet are saved to a file, copy the file from the ESXi host to the system that runs a graphical analyzer tool, such as Wireshark, and open it in the tool to examine the packet details.