VMware offers a great and powerful tool pktcap-uw to perform packet capture on ESXi host.
Pktcap-uw offers a lot of options for packet capture.
Here I show most common used in my daily life here for your reference. I normally perform a packet based on vSwitch port ID or DV filter (NSX DFW)
To do that, I firstly need to find the vSwitch port ID and DV filter ID on ESXi host so that I can refer them in your packet capture. I normally use “summarize-dvfilter” CLI to find the requested information.
[root@esx4005:/tmp]
summarize-dvfilter | grep -C 10 1314
slowPathID: none
filter source: Dynamic Filter Creation
vNic slot 1
name: nic-18417802-eth0-dvfilter-generic-vmware-swsec.1
agentName: dvfilter-generic-vmware-swsec
state: IOChain Attached
vmState: Detached
failurePolicy: failClosed
slowPathID: none
filter source: Alternate Opaque Channel
world 18444553 vmm0:auslslnxsd1314-113585a5-f6ed-4eb3-abd2-12083901e942 vcUuid:'11 35 85 a5 f6 ed 4e b3-ab d2 12 08 39 01 e9 42'
port 33554558 (vSwitch PortID) auslslnxsd1314-113585a5-f6ed-4eb3-abd2-12083901e942.eth0
vNic slot 2
name: nic-18444553-eth0-vmware-sfw.2 (DV Filter ID)
agentName: vmware-sfw
state: IOChain Attached
vmState: Detached
failurePolicy: failClosed
slowPathID: none
filter source: Dynamic Filter Creation
vNic slot 1
name: nic-18444553-eth0-dvfilter-generic-vmware-swsec.1After I have the vSwitch port ID and DV filter ID, I can start my packet capture.
- Packet capture to a VM based on vSwitch PortID
pktcap-uw –switchport 33554558 —dir 0 -o /tmp/from1314.pcap
- Packet capture from a VM based on vSwitch PortID
pktcap-uw –switchport 33554558 —dir 1 -o /tmp/to1314.pcap
- Packet capture from a VM based on DV filter
pktcap-uw –capture PreDVFilter –dvfilter nic-18444553-eth0-vmware-sfw.2 -o /tmp/1314v3.pcap
Below is a brief explanation of the parameters which we use in the above.
-o (output): save the capture as a packet capture file;
-dir (direction): 0 for traffic to VM and 1 for traffic from VM;
-PreDVFilter: perform packet capture before DFW rules are applied;
-PostDVFilter: perform packet capture after DFW rules are applied;
In addition, you can add filter as well for your capture:
pktcap-uw –switchport 33554558 –tcpport 9000 –dir 1 -o /tmp/from1314.pcap
I list all available filter options here for your reference:
–srcmac
The Ethernet source MAC address.
–dstmac
The Ethernet destination MAC address.
–mac
The Ethernet MAC address(src or dst).
–ethtype
The Ethernet type. HEX format.
–vlan
The Ethernet VLAN ID.
–srcip
The source IP address.
–dstip
The destination IP address.
–ip
The IP address(src or dst).
–proto 0x
The IP protocol.
–srcport
The TCP source port.
–dstport
The TCP destination port.
–tcpport
The TCP port(src or dst).
–vxlan
The vxlan id of flow.
Update:
Start 2 capture at the same time:
pktcap-uw –switchport 50331665 -o /tmp/50331665.pcap & pktcap-uw –uplink vmnic2 -o /tmp/vmnic2.pcap &
Stop all packet capture:
kill $(lsof | grep pktcap-uw | awk ‘{print $1}’ | sort -u)
Of course, you can perform some basic packet capture in NSX manager via Central CLI. If you are interested in, please refer my another blog:
InsidePacket 
I’m no longer certain the place you are getting your info, but good topic. I needs to spend a while studying more or understanding more. Thank you for great information I was searching for this information for my mission.
LikeLike
Excellent blog right here! Also your web site rather a lot up fast! What host are you using? Can I get your affiliate hyperlink to your host? I wish my web site loaded up as quickly as yours lol
LikeLike
Hi Alex, I am using wordpress.com to host my website.
LikeLike