Use the pktcap-uw utility to inspect the contents of packets while they traverse the network stack on an ESXi host.

The pktcap-uw command has the following syntax for capturing packets at a certain place in the network stack:

pktcap-uw switch_port_arguments capture_point_options filter_options output_control_options
Note

Certain options of the pktcap-uw utility are designed for VMware internal use only and you should use them only under the supervision of VMware Technical Support. These options are not described in the vSphere Networking guide.

pktcap-uw Arguments for Capturing Packets

Argument Group

Argument

Description

switch_port_arguments

--uplink vmnicX

Capture packets that are related to a physical adapter.

You can combine the --uplink and --capture options for monitoring packets at a certain place in the path between the physical adapter and the virtual switch.

See Capture Packets That Arrive at a Physical Adapter.

--vmk vmkX

Capture packets that are related to a VMKernel adapter.

You can combine the vmk and --capture options for monitoring packets at a certain place in the path between the VMkernel adapter and the virtual switch.

See Capture Packets for a VMkernel Adapter.

--switchport {vmxnet3_port_ID | vmkernel_adapter_port_ID}

Capture packets that are related to a VMXNET3 virtual machine adapter or to a VMkernel adapter that is connected to a particular virtual switch port. You can view the ID of the port in the network panel of the esxtop utility.

You can combine the switchport and capture options for monitoring packets at a certain place in the path between the VMXNET3 adapter or VMkernel adapter and the virtual switch.

See Capture Packets for a VMXNET3 Virtual Machine Adapter.

--lifID lif_ID

Capture packets that are related to the logical interface of a distributed router. See the VMware NSX documentation.

capture_point_options

--capture capture_point

Capture packets at a particular place in the network stack. For example, you can monitor packets right after they arrive from a physical adapter.

--dir {0|1}

Capture packets according to the direction of the flow with regard to the virtual switch.

0 stands for incoming traffic and 1 for outgoing traffic.

By default, the pktcap-uw utility captures ingress traffic.

Use the --dir option together with the --uplink, --vmk, or --switchport option.

--stage {0|1}

Capture the packet closer to its source or to its destination. Use this option to examine how a package changes while it traverses the points in the stack.

0 stands for traffic closer to source and 1 for traffic closer to destination.

Use the --stage option together with the --uplink, --vmk , --switchport, or --dvfilter option.

--dvfilter filter_name --capture PreDVFilter|PostDVFilter

Capture packets before or after a vSphere Network Appliance (DVFilter) intercepts them. See Capture Packets at DVFilter Level.

-A | --availpoints

View all capture points that the pktcap-uw utility supports.

For details about the capture points of the pktcap-uw utility, see Capture Points of the pktcap-uw Utility.

filter_options

Filter captured packets according to source or destination address, VLAN ID, VXLAN ID, Layer 3 protocol, and TCP port. See pktcap-uw Options for Filtering Packets.

output_control_options

Save the contents of a packet to a file, capture only a number of packets, and capture a number of bytes at the beginning of packets, and so on. See pktcap-uw Options for Output Control.

The vertical bars | represent alternative values, and the curly brackets {} used with vertical bars specify a list of choices for an argument or option.