Travelling Techie

Adventures in VMware

User Tools

Site Tools



Recent Changes

About The Author

Brandon Neill is a VMware Certified Instructor and Consultant. He specializes in NSX and vRealize Automation. In addition to teaching Official VMware Classes, he provides contract training and consulting services.


back to Troubleshooting NSX

Capturing NSX Packets

We use pktcap-uw for capturing network traffic at multiple points inside of the ESXi host, however the output of pktcap-uw is hex, so to interpet the output, use either tcpdump-uw or Wireshark.


tcpdump cheatsheet

Technically only -r is necessary, e prints ethernet headers, and n doesn't use DNS.

esxi# tcpdump-uw -enr file.pcap


Recent versions of wireshark should detect VXLAN packets natively. But it focuses on the inner packet, you have to pay attention and look for the VXLAN section. Click on the picture below to see an example.

Route to cloud has some information about viewing VXLAN info in Wireshark.

Capturing VXLAN Traffic Exiting an ESXi Host



Two options to determine the switch port

esxi# esxtop (press N)

esxi# esxcli network vswitch dvs vmware vxlan network port list --vds-name <vDS_Name> --vxlan-id-<vni>

The packet as it exits the VM (if using vmxnet3 adapter)

esxi#  pktcap-uw --switchport <portID> --capture Vmxnet3Tx

The packet as it arrives at the switchport

esxi# pktcap-uw --switchport <portID> --dir 0 -o file.pcap

Unencapsulated traffic on source ESXi host.

esxi# pktcap-uw --uplink <vmnic> --dir=1 --stage=0 -o file.pcap

Encapsulated traffic on the source ESXi host.

esxi# pktcap-uw --uplink <vmnic> --capture UplinkSndKernel  -o file.pcap

Capturing VXLAN Traffic Entering an ESXi Host

Notice in this set the dir and capture point changes.



Encapsulated traffic on the destination ESXi host.

esxi> pktcap-uw --capture UplinkRcvKernel --uplink <vmnic> -o file.pcap

Capture the packet entering the vmnic switchport

esxi> pktcap-uw --uplink vmnic0 --dir=0 

Capture the packet leaving the VM switchport.

esxi> pktcap-uw --switchport <portID> --dir 1 -o file.pcap

The packet as it enters the VM (if using vmxnet3 adapter)

esxi>  pktcap-uw --switchport <portID> --capture Vmxnet3Rx

Capturing packets on the Distributed Logical Router

Use net-vdr to collect the mac addresses of the DLR, and esxtop to collect the switch portID of the vdrport.

esxi# net-vdr -C -l

esxi# esxtop  (press N)

Capture Inbound Packets on the Source ESXi DLR

esxi# pktcap-uw --switchport <vdr_portID> --dir 1 --vni <source_vni> -o file.pcap

Capture outbound packets on the Source ESXi DLR. Note the dir and vni have changed.

esxi# pktcap-uw --switchport <vdr_portID> --dir 0 --vni <destination_vni> -o file.pcap

Capturing Packets Entering and Exiting the Distributed Firewall

You can also use this information to capture traffic before and after the swsec dvfilter to observe arp suppression.

Use summarize-dvfilter to determine the name of the filter attached to the VM.

esxi# summarize-dvfilter

Capture Packets Before the dvfilter.

esxi# pktcap-uw --dvfilter <filterName> --stage=0 -o file.pcap

Capture packets after the dvfilter. Note the stage has changed.

esxi# pktcap-uw --dvfilter <filterName>  --stage=1 -o file.pcap
capturing_nsx_packets.txt · Last modified: 2018/03/26 12:40 by brandon