Tag Archives: VM traffic

Using the pktcap-uw tool to capture VM traffic

2 Replies

SSH on to the ESXi host the VM resides on and run command below. Replace VM-NAME with your VM’s name.

esxcli network vm list | grep -i VM-NAME

COMMAND OUTPUT:

1122341 VM-NAME dvportgroup-202593

Copy digits at beginning of output – 1122341 into command below and run command.

esxcli network vm port list -w 1122341

COMMAND OUTPUT:

Port ID: 33554507
vSwitch: VDS or VSS Name
Portgroup: dvportgroup-202593
DVPort ID: 323
MAC Address: 00:50:56:91:72:03
IP Address: 0.0.0.0
Team Uplink: vmnic1
Uplink Port ID: 33554434
Active Filters:

Copy Port ID at the beginning of output – 33554507 into capture commands below and run captures.

FOR EGRESS CAPTURE (default)

pktcap-uw --switchport 33554507 -o /tmp/VM-NAME-outbound.pcap

FOR INGRESS CAPTURE

pktcap-uw --switchport 33554507 --dir 1 -o /tmp/VM-NAME.pcap

Install WinSCP, connect to host over SCP, download pcap file from tmp folder, analyze in Wireshark

More info —

https://kb.vmware.com/s/article/2051814