Using the pktcap-uw tool to capture VM traffic

2 Replies

SSH on to the ESXi host the VM resides on and run command below. Replace VM-NAME with your VM’s name.

esxcli network vm list | grep -i VM-NAME

COMMAND OUTPUT:

1122341 VM-NAME dvportgroup-202593

Copy digits at beginning of output – 1122341 into command below and run command.

esxcli network vm port list -w 1122341

COMMAND OUTPUT:

Port ID: 33554507
vSwitch: VDS or VSS Name
Portgroup: dvportgroup-202593
DVPort ID: 323
MAC Address: 00:50:56:91:72:03
IP Address: 0.0.0.0
Team Uplink: vmnic1
Uplink Port ID: 33554434
Active Filters:

Copy Port ID at the beginning of output – 33554507 into capture commands below and run captures.

FOR EGRESS CAPTURE (default)

pktcap-uw --switchport 33554507 -o /tmp/VM-NAME-outbound.pcap

FOR INGRESS CAPTURE

pktcap-uw --switchport 33554507 --dir 1 -o /tmp/VM-NAME.pcap

Install WinSCP, connect to host over SCP, download pcap file from tmp folder, analyze in Wireshark

More info —

https://kb.vmware.com/s/article/2051814

Post Views: 6,352

2 thoughts on “Using the pktcap-uw tool to capture VM traffic

  2. JT

    Just a query/correction, isn’t the default capture route with no –dir 0/1/2 defined set to inbound packets? Not egress/outbound?

    I thought it was meant to be:

    0 = Inbound
    1=Outbound
    2=Bidirectional

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.