Travelling Techie

Adventures in VMware

User Tools

Site Tools


Sidebar

Network Virtualization
Compute Virtualization
Storage Virtualization
Cloud
Containers
Operating Systems
Automation
Tools
VMware Classes
Other Classes
Other

Tags

Recent Changes

About The Author

Brandon Neill is a VMware Certified Instructor and Consultant. He specializes in NSX and vRealize Automation. In addition to teaching Official VMware Classes, he provides contract training and consulting services.

pktcap-uw

The definitive guide to pktcap-uw

(“definitive” hah :) This guide is based off of the documentation and my own testing in a lab environment, if you have any corrections, additions, or comments, please contact me.

pktcap-uw was introduced in ESXi 5.5 to provide many different capture points for network traffic inside of the ESXi host. As it doesn't provide output in human readable form, use either Wireshark or tcpdump-uw to analyze the output.

esxi# tcpdump-uw -enr file.pcap

Reference Material

Syntax

esxi> pktcap-uw [switchport arguments] [capture point options] [filter options] [output options]

I have attempted to list the capture points/switchport options in the order in which I understand they occur. They may not always be accurate, and I don't understand what packet functions might occur between capture points. Where I do know, I will enumerate them. I have put information I'm not completely confident of in italics

Switchport/Capture Point Options

In general each switchport option has matching capture point options, however some capture points do not require a switchport. The switchport can be specified in one of four ways: --uplink <vmnicX> , --switchport <portID>, --vmk <vmkX>, or --lifID <lif_ID> .

Capture Points for vmnic traffic

When capturing traffic for a vmnic, use --uplink <vmnicX> to specify which uplink. Without any options, this will capture the packets that are incoming to the switch at the point where they are switched. If you want to see which vmnic a particular VM or vdrport is bound to, use esxtop N and look at the team-pnic column.

From vmnic to switchport

  • --capture UplinkRcv
    • Monitor packets immediately after they are received in the network stack from the physical adapter.
    • This will show VXLAN encapsulated traffic.
  • I think dvfilters work here.
  • --capture PortInput
    • Monitor packets immediately before they enter the virtual switch
    • I think this is the same as --dir 0

From switchport to vmnic

  • --capture PortOutput
    • Monitor packets immediately after they leave the virtual switch
    • I think this is the same as --dir 1
  • I think dvfilters work here.
  • --capture UplinkSnd
    • Monitor packets immediately before they enter the physical adapter device.
    • This will show VXLAN encapsulated traffic

Capture Points for Virtual Machine Traffic

When capturing traffic for a VM, use --switchport <portID> to specify which VM. I think the default is --capture PortInput

From vmxnet3 to switchport

  • --capture vmxnet3Tx
    • Monitor packets as they exit the vmxnet3 adapter
  • I think dvfilters work here.
    • sfw (Distributed Firewall) performs Distributed Firewall functions
    • swsec (switch security) performs VXLAN functions and IP Discovery
  • --capture PortInput
    • The function that passes packets to a port on the virtual switch.
  • --dir 0 --stage 1
    • Monitor packets immediately after they enter the virtual switch

From switchport to vmxnet3

  • --dir 1 --stage 0
    • Monitor packets immediately after they leave the virtual switch
  • --capture PortOutput
    • The function that passes packets from the switchport to the vmxnet3Rx
  • I think dvfilters work here.
    • sfw (Distributed Firewall) performs Distributed Firewall functions
    • swsec (switch security) performs VXLAN functions and IP Discovery
  • --dir 1
    • Monitor packets immediately before they enter the virtual machine
  • --capture vmxnet3Rx
    • Monitor packets as before they enter the vmxnet3 adapter

Capture Points for vmkernel Traffic

When capturing traffic for a vmk, use the --vmk <vmkX> to specify which vmkernel interface. I think the default is --capture PortInput .

From vmk to switchport

  • --dir 0
    • I'm not sure what goes here. –dir 0 is my guess, but it's not in the documentation
    • For most vmkernel ports, you can use tcpdump-uw to capture packets
  • I think dvfilters work here.
    • ESXi-Firewall (Host firewall)
  • --capture PortInput
    • The function that passes packets from the vmk to a port on the virtual switch.
  • --dir 0 --stage 1
    • Monitor packets immediately before they enter the virtual switch

From switchport to vmk

  • --capture PortOutput
    • The function that passes packets from a port on the virtual switch to the vmk.
  • --dir 1 --stage 0
    • Monitor packets after they leave the virtual switch
  • I think dvfilters work here.
    • ESXi-Firewall (Host firewall)
  • --dir 1
    • Monitor packets immediately before they enter the vmkernel adapter

Capture Points for dvfilter Traffic

When capturing traffic for a dvfilter, don't specify a switchport, instead specify the dvfilter using --dvFilter dvfilter_name. Use summarize-dvfilter to find the relevant dvfilter.

  • --capture PreDVFilter
    • Before a dvFilter intercepts a packet
  • --capture PostDVFilter
    • After a dvFilter intercepts a packet

Capture Points for Distributed Router Traffic

This section is still a work in progress

Use --lifID <lif_ID> to specify the lif

  • VdrRxLeaf
  • VdrRxTerminal
  • VdrTxLeaf
  • VdrTxTerminal

Other Capture Points

  • Drop
  • TcpipDispatch
  • PktFree

Filter Options

Output Options

pktcap-uw.txt · Last modified: 2018/01/31 18:40 by brandon