How to capture VMware network traffic using pktcap-uw

Have you guys use the command pktcap-uw to monitor the traffic in your VMware environment? If not then start using it. Its very useful tool.

Let me show you the glimpse of its power. I have taken the putty session to ESX on which my VM is hosted for which I  want to capture the traffic.

Case 1 :

I have created two VMs manamgement vnics(Virtual NIC) of both VM is created on vmnic0 (Physical NIC).

Now I am monitoring the traffic between the VMs when I am pinging from one VM to another VM.

~ # pktcap-uw –uplink vmnic0 -c 20 vmnic_capture.pcap
The name of the uplink is vmnic0
To capture 20 packets
No server port specifed, select 59721 as the port
Output the packet info to console.

Case 2 :

Now if you want to monitor the vnic (Virtual interface) traffic that we can also do. But to do that we need to identify the vnic Port-ID becuase that is the unique
parameter associated with VNIC.

There are two methods to find Port-ID

1) One is two step.

~ # esxcli network vm list
World ID Name Num Ports Networks
——– ———- ——— —————
52666 Linux-11.1 1 dvportgroup-302

~ # esxcli network vm port list -w 52666
Port ID: 50331655
vSwitch: VDSwitch-1
Portgroup: dvportgroup-302
DVPort ID: 38
MAC Address: 00:50:56:99:86:67
IP Address: 0.0.0.0
Team Uplink: vmnic0
Uplink Port ID: 50331651
Active Filters:

2) Second method is using esxtop

Type the “esxtop” on command prompt
Press “n”
Locate your VM for which you want to trace the package.

PORT-ID USED-BY TEAM-PNIC DNAME PKTTX/s MbTX/s PKTRX/s MbRX/s %DRPTX %DRPRX
50331655 52666:Linux-11.1.eth vmnic0 DvsPortset-0 0.99 0.00 0.99 0.00 0.00 0.00

Coming back to pktcap-uw. I used the VM port-ID collected to capture the network traffic.

~ # pktcap-uw –switchport 50331655 -c 25 -o vnic_capture1.pcap
The switch port id is 0x03000007
To capture 25 packets
The output file is vnic_capture1.pcap
No server port specifed, select 60899 as the port
Local CID 2
Listen on port 60899
Accept…Vsock connection from port 1026 cid 2
Dump: 22, broken : 0, drop: 0, file err: 0Receive thread exiting…
Dump: 25, broken : 0, drop: 0, file err: 0Dump thread exiting…
Destroying session 2

Dumped 25 packet to file vnic_capture1.pcap, dropped 0 packets.
Done.

Case 3 :

Last with feeling we can monitor the vmknic traffic as well. In this case I am narrowing down by specifying the destination IP.

~ # pktcap-uw –vmk vmk0 –dstip 192.168.13.1 -c 25 -o vnic_capture2.pcap
The name of the vmk is vmk0
The session filter destination IP address is 192.168.13.1
To capture 25 packets
The output file is vnic_capture2.pcap
No server port specifed, select 61256 as the port
Local CID 2
Listen on port 61256
Accept…Vsock connection from port 1027 cid 2
Dump: 24, broken : 0, drop: 0, file err: 0Receive thread exiting…
Dump: 25, broken : 0, drop: 0, file err: 0Dump thread exiting…
Destroying session 3

Dumped 25 packet to file vnic_capture2.pcap, dropped 0 packets.
Done.

To know about more option issue below command you will plathora of options to narrow down your network traffic capturing.
~ # pktcap-uw -h

You can copy the files generated after command completion to your local desktop using winscp or any of your favorite tool. Then you can analyse them.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s