To capture packet on ESXi host for particular VM and related uplink (pNic), you need to get the PortNum for VM and pNic used for that particular VM.
In this example I am taking Test-VM which has IP address 10.10.10.10
You can get Port-ID after connecting to esxi host using SSH on which that VM is running, using command net-stats -l
example:
net-stats -l
PortNum Type SubType SwitchName MACAddress ClientName
33577595 5 9 DvsPortset-0 00:50:56:82:70:48 Test-VM.eth0
You can also get the VM PORT-ID and pNic used for impacted VM for which you need to do packet capture.
esxtop
then press n for network detrails of host and VMs
PORT-ID USED-BY TEAM-PNIC DNAME PKTTX/s MbTX/s PSZTX PKTRX/s MbRX/s PSZRX %DRPTX %DRPRX
33577595 60324549:Test-VM.eth0 vmnic1 DvsPortset-0 1.79 0.00 82.00 2.26 0.00 76.00 0.00 0.00
Once you note the details for Port-ID and pNIC used for VM. You can go ahead and run the packet capture using pktcap-uw
Test-VM using port-id 33577595 and pNIC vmnic1
There are two way to get the capute one you can see the output direct on esxi console or you can capture the same in pcap file for later analysis.
To capture at VM Port-ID level:
Below command will show all the traffic on that VM port id which has 10.10.10.10 either source or destination IP.
pktcap-uw --capture VnicTx,VnicRx --switchport 33577595 --ip 10.10.10.10 -o - | tcpdump-uw -enr -
To capture the output of capture to a file you can use below command, you need to provide the path to capture file:
pktcap-uw --capture VnicTx,VnicRx --switchport 33577595 --ip 10.10.10.10 -o /vmfs/volumes/DatastoreName/FileName.pcap
To capture packet for particular source and destination for any port:
pktcap-uw --capture VnicTx,VnicRx --switchport 33577595 --srcip 10.10.10.10 --dstip 10.10.10.20 -o - | tcpdump-uw -enr -
To capture packet for particular source and destination for specific port:
pktcap-uw --capture VnicTx,VnicRx --switchport 33577595 --srcip 10.10.10.10 --dstip 10.10.10.20 --tcpport 22 -o - | tcpdump-uw -enr -
To capture output to a file:
pktcap-uw --capture VnicTx,VnicRx --switchport 33577595 --srcip 10.10.10.10 --dstip 10.10.10.20 --tcpport 22 -o /vmfs/volumes/DatastoreName/FileName.pcap
To capture at pNic level used for that VM:
Below command will show all the traffic on pNIC level, where you can add filter using source IP, Destination IP and Port Number along with direction.
In below example I want to see the traffic sent or received on IP 10.10.10.10 on port number 22 on vmnic1
pktcap-uw --uplink vmnic1 --capture UplinkSndKernel,UplinkRcvKernel --ip 10.10.10.10 --tcpport 22 -o - | tcpdump-uw -enr -
To capture above command output to a pcap file for later analysis.
pktcap-uw --uplink vmnic1 --capture UplinkSndKernel,UplinkRcvKernel --ip 10.10.10.10 --tcpport 22 -o /vmfs/volumes/DatastoreName/FileName.pcap
To capture traffic between 2 particular end points on given pNIC
pktcap-uw --uplink vmnic1 --capture UplinkSndKernel,UplinkRcvKernel --srcip 10.10.10.10 --dstip 10.10.10.20 -o - | tcpdump-uw -enr -
To Save output to a file:
pktcap-uw --uplink vmnic1 --capture UplinkSndKernel,UplinkRcvKernel --srcip 10.10.10.10 --dstip 10.10.10.20 -o /vmfs/volumes/DatastoreName/FileName.pcap
To capture traffic between 2 particular end points along with port on given pNIC
pktcap-uw --uplink vmnic1 --capture UplinkSndKernel,UplinkRcvKernel --srcip 10.10.10.10 --dstip 10.10.10.20 --tcpport 22 -o - | tcpdump-uw -enr -
To Save output to a file:
pktcap-uw --uplink vmnic1 --capture UplinkSndKernel,UplinkRcvKernel --srcip 10.10.10.10 --dstip 10.10.10.20 --tcpport 22 -o /vmfs/volumes/DatastoreName/FileName.pcap
You can change the port-ID, pNIC, IP and Port Number according your use case.
No comments:
Post a Comment