Monday, January 22, 2024

Packet capture for VM on esxi host for vNic and pNic using pktcap-uw

To capture packet on ESXi host for particular VM and related uplink (pNic), you need to get the PortNum for VM and pNic used for that particular VM. 

In this example I am taking Test-VM which has IP address 10.10.10.10

You can get Port-ID after connecting to esxi host using SSH on which that VM is running, using command net-stats -l 

example:

net-stats -l

PortNum             Type SubType SwitchName       MACAddress         ClientName

33577595            5       9    DvsPortset-0        00:50:56:82:70:48     Test-VM.eth0

You can also get the VM PORT-ID and pNic used for impacted VM for which you need to do packet capture.

esxtop

then press n for network detrails of host and VMs

PORT-ID   USED-BY                            TEAM-PNIC    DNAME              PKTTX/s   MbTX/s   PSZTX      PKTRX/s  MbRX/s   PSZRX  %DRPTX %DRPRX

33577595  60324549:Test-VM.eth0       vmnic1       DvsPortset-0          1.79    0.00    82.00       2.26    0.00     76.00   0.00   0.00

Once you note the details for Port-ID and pNIC used for VM. You can go ahead and run the packet capture using pktcap-uw

Test-VM using port-id 33577595 and pNIC vmnic1

There are two way to get the capute one you can see the output direct on esxi console or you can capture the same in pcap file for later analysis.

To capture at VM Port-ID level:

Below command will show all the traffic on that VM port id which has 10.10.10.10 either source or destination IP.

pktcap-uw --capture VnicTx,VnicRx --switchport 33577595 --ip 10.10.10.10 -o - | tcpdump-uw -enr -

To capture the output of capture to a file you can use below command, you need to provide the path to capture file:

pktcap-uw --capture VnicTx,VnicRx --switchport 33577595 --ip 10.10.10.10 -o /vmfs/volumes/DatastoreName/FileName.pcap

To capture packet for particular source and destination for any port:

pktcap-uw --capture VnicTx,VnicRx --switchport 33577595 --srcip 10.10.10.10 --dstip 10.10.10.20  -o - | tcpdump-uw -enr -

To capture packet for particular source and destination for specific port:

pktcap-uw --capture VnicTx,VnicRx --switchport 33577595 --srcip 10.10.10.10 --dstip 10.10.10.20 --tcpport 22 -o - | tcpdump-uw -enr -

To capture output to a file:

pktcap-uw --capture VnicTx,VnicRx --switchport 33577595 --srcip 10.10.10.10 --dstip 10.10.10.20 --tcpport 22 -o /vmfs/volumes/DatastoreName/FileName.pcap

To capture at pNic level used for that VM:

Below command will show all the traffic on pNIC level,  where you can add filter using source IP, Destination IP and Port Number along with direction.

In below example I want to see the traffic sent or received on IP 10.10.10.10 on port number 22 on vmnic1

pktcap-uw --uplink vmnic1 --capture UplinkSndKernel,UplinkRcvKernel --ip 10.10.10.10  --tcpport 22 -o - | tcpdump-uw -enr -


To capture above command output to a pcap file for later analysis.


pktcap-uw --uplink vmnic1 --capture UplinkSndKernel,UplinkRcvKernel --ip 10.10.10.10  --tcpport 22 -o /vmfs/volumes/DatastoreName/FileName.pcap


To capture traffic between 2 particular end points on given pNIC


pktcap-uw --uplink vmnic1 --capture UplinkSndKernel,UplinkRcvKernel --srcip 10.10.10.10 --dstip 10.10.10.20  -o - | tcpdump-uw -enr -


To Save output to a file:


pktcap-uw --uplink vmnic1 --capture UplinkSndKernel,UplinkRcvKernel --srcip 10.10.10.10 --dstip 10.10.10.20  -o /vmfs/volumes/DatastoreName/FileName.pcap 


To capture traffic between 2 particular end points along with port on given pNIC


pktcap-uw --uplink vmnic1 --capture UplinkSndKernel,UplinkRcvKernel --srcip 10.10.10.10 --dstip 10.10.10.20 --tcpport 22 -o - | tcpdump-uw -enr -


To Save output to a file:


pktcap-uw --uplink vmnic1 --capture UplinkSndKernel,UplinkRcvKernel --srcip 10.10.10.10 --dstip 10.10.10.20 --tcpport 22 -o /vmfs/volumes/DatastoreName/FileName.pcap 


You can change the port-ID, pNIC, IP and Port Number according your use case.



Posted by at No comments:

Friday, January 19, 2024

vRA 7.6 IaaS Management Agent Certificate replace with New Self Sign Certificate

The system administrator can replace the Management Agent certificate when it expires or

about to expire with new self-signed certificate.

Each IaaS host runs its own Management Agent. Repeat this procedure on each IaaS node whose

Management Agent you want to update.

Prerequisites:



















Obtain vRA Management Agent hostname (hn):

Copy the vRA Management Agent hostname from the vRA VAMI interface under cluster tab, where you see the warning or error for certificate for agent.

Obtain vRA Management Agent ID (nd):

Copy the details from the existing Agent Config file from the vRA Management Agent installation directory.

On each of the IaaS nodes where you will be replacing the certificate, obtain the Management Agent identifier by opening the below file.

<vra-installation-dir>\Management Agent\VMware.IaaS.Management.Agent.exe.config file. 

agentConfiguration id

Obtain vRA appliance SSL Thumbprint (tp):

You can find this in the same file <vra-installation-dir>\Management Agent\VMware.IaaS.Management.Agent.exe.config file

Find below screenshot for sample file and data to copy


Once all the required data copied perform below 2 steps, before generating and registering new self-sign certificate with vRA appliance management site.

1. Stop the Management Agent service from your Windows Services snap-in.

 VMware vCloud Automation Center Management Agent service

Stop to stop the service.

2 Remove the current certificate from the machine. 

Local Machine certificate snap-in in MMC console, remove the current Management Agent certificate.

  • Register the Management Agent certificate with the vRA appliance management site.

Open a command prompt as an administrator and navigate to the Cafe directory on the

machine on which the Management Agent is installed at <vra-installation-dir>

\Management Agent\Tools\Cafe, typically C:\Program Files (x86)\VMware\vCAC

\Management Agent\Tools\Cafe.

Enter the Vcac-Config.exe RegisterNode command with options to register the

Management Agent identifier and certificate in one step. Include the Management Agent

identifier you recorded earlier as the value for the -nd option.

Vcac-Config.exe RegisterNode -v -vamih "vra-va.eng.mycompany:5480" -cu "root" -cp

"secret" -hn "iaas.eng.mycompany" -nd "C816CFBX-4830-4FD2-8951-C17429CEA291" -tp

"70928851D5B72B206E4B1CF9F6ED953EE1103DED"

Restart the Management Agent.

Now you can verify from vRA VAMI UI under cluster Agent certificate warning/error should disappeared.

To get more details use VMware documentation: https://kb.vmware.com/s/article/86046




Posted by at No comments:
Subscribe to: Posts (Atom)