Troubleshoot lost connectivity by capturing dropped packets through the pktcap-uw utility.

A packet might be dropped at a point in the network stream for many reasons, for example, a firewall rule, filtering in an IOChain and DVfilter, VLAN mismatch, physical adapter malfunction, checksum failure, and so on. You can use the pktcap-uw utility to examine where packets are dropped and the reason for the drop.


In the ESXi Shell to the host, run the pktcap-uw --capture Drop command with options to monitor packets at a particular point, filter captured packets and save the result to a file.

pktcap-uw --capture Drop [filter_options] [--outfile pcap_file_path [--ng]] [--count number_of_packets]

where the square brackets [] enclose the options of the pktcap-uw --capture Drop command and the vertical bars | represent alternative values.


Use a filter_options to filter packets according to source and destination address, VLAN ID, VXLAN ID, Layer 3 protocol, and TCP port.

For example, to monitor packets from a source system that has IP address, use the --srcip filter option.


Use options to save the contents of each packet or the contents of a limited number of packets to a .pcap or .pcapng file.

To save packets to a .pcap file, use the --outfile option.

To save packets to a .pcapng file, use the --ng and --outfile options.

You can open the file in a network analyzer tool such as Wireshark.

By default, the pktcap-uw utility saves the packet files to the root folder of the ESXi file system.


You can see the reason and the place where a packet is dropped only when you capture packets to the console output. The pktcap-uw utility saves only the content of packets to a .pcap or .pcapng file.


Use the--count option to monitor only a number of packets.


If you have not limited the number of packets by using the --count option, press Ctrl+C to stop capturing or tracing packets.

Besides the contents of dropped packets, the output of the pktcap-uw utility displays the reason for the drop and the function in the network stack that handled the packet last.

If the contents of the packet are saved to a file, copy the file from the ESXi host to the system that runs a graphical analyzer tool, such as Wireshark, and open it in the tool to examine the packet details.