Monitor traffic that flows between a virtual switch and a VMXNET3 virtual machine adapter by using the pktcap-uw utility.

You can specify a certain capture point in the data path between a virtual switch and a virtual machine adapter. You can also determine a capture point by traffic direction with regard to the switch and proximity to the packet source or destination. For information about supported capture points, see Capture Points of the pktcap-uw Utility.

Verify that the virtual machine adapter is of type VMXNET3.

1

On the host, learn the port ID of the virtual machine adapter by using the esxtop utility.

a

In the ESXi Shell to the host, to start the utility, run esxtop.

b

Press N to switch to the network panel of the utility.

c

In the USED-BY column, locate the virtual machine adapter, and write down the PORT-ID value for it.

The USED-BY field contains the name of the virtual machine and the port to which the virtual machine adapter is connected.

d

Press Q to exit esxtop.

2

In the ESXi Shell to the host, run pktcap-uw --switchport port_ID.

port_ID is the ID that the esxtop utility displays for the virtual machine adapter in the PORT-ID column.

3

In the ESXi Shell to the host, run the pktcap-uw command with the --switchport port_ID argument and with options to monitor packets at a particular point, filter captured packets and save the result to a file.

pktcap-uw --switchport port_ID [--capture capture_point|--dir 0|1 --stage 0|1]  [filter_options] [--outfile pcap_file_path [--ng]] [--count number_of_packets]

where the square brackets [] enclose the options of the pktcap-uw --switchport port_ID command and the vertical bars | represent alternative values.

If you run the pktcap-uw --switchport port_ID command without options, you obtain the content of packets that are incoming to the standard or distributed switch in the console output at the point when they are switched.

a

To check packets at another capture point or direction in the path between the guest operating system and the virtual switch, use the --capture option or combine the values of the --dir and --stage options.

pktcap-uw Command Options

Goal

--capture Vmxnet3Tx

Monitor packets when they pass from the virtual machine to the switch.

--capture Vmxnet3Rx

Monitor packets when they arrive to the virtual machine.

--dir 1 --stage 0

Monitor packets immediately after they leave the virtual switch.

--dir 1

Monitor packets immediately before they enter the virtual machine.

--dir 0 --stage 1

Monitor packets immediately after they enter the virtual switch.

b

Use a filter_options to filter packets according to source and destination address, VLAN ID, VXLAN ID, Layer 3 protocol, and TCP port.

For example, to monitor packets from a source system that has IP address 192.168.25.113, use the --srcip 192.168.25.113 filter option.

c

Use options to save the contents of each packet or the contents of a limited number of packets to a .pcap or .pcapng file.

To save packets to a .pcap file, use the --outfile option.

To save packets to a .pcapng file, use the --ng and --outfile options.

You can open the file in a network analyzer tool such as Wireshark.

By default, the pktcap-uw utility saves the packet files to the root folder of the ESXi file system.

d

Use the--count option to monitor only a number of packets.

4

If you have not limited the number of packets by using the --count option, press Ctrl+C to stop capturing or tracing packets.

To capture the first 60 packets from a source that is assigned the IP address 192.168.25.113 when they arrive at a virtual machine adapter with port ID 33554481 and save them to a file called vmxnet3_rcv_srcip.pcap, run the following pktcap-uw command:

 pktcap-uw --switchport 33554481 --capture Vmxnet3Rx --srcip 192.168.25.113 --outfile vmxnet3_rcv_srcip.pcap --count 60

If the contents of the packet are saved to a file, copy the file from the ESXi host to the system that runs a graphical analyzer tool, such as Wireshark, and open it in the tool to examine the packet details.