Would like to share about the incident where this tool gave great hand :-)
previously we can capture packets only to the kernel interfaces using tcpdump-uw & cannot capture frames at the uplinks, or vSwitch levels, now it is possible for us to capture packets at VM virtual switch port level, physical uplinks level connected to any type of virtual switches using pktcap-uw utility.
how it is useful in a real time scenario ?
we had a very big problem that a critical app VM was suspected to have connectivity issues, client connections to the application VM was dropping & initially was not sure where it is happening, as usual severity raised with us for analysis. we used the pktcap utility to get the report @ virtual switch port level, and on the uplinks connected to the virtual switch level, and on reading the report using wireshark clearly proved that the client packets has not even reached physical uplink level and obviously nothing observed at virtual switch port level for the App VM.
its was a great help that the tool gave a way to isolate the issue is not within the virtual environment later it was passed on to network team and it was the firewall culprit. not digging much with the issue that we had, just want to emphasis that this tool came in handy to isolate that issue is with or not with vmware end.
below is the vmware KB providing end to end steps on how to execute it.
One point the way VMware listed to get the VM port id is lengthy using esxtop, instead easy way is using the esxcli way of getting it will list the port id as well the associated virtual NIC mac connected to it, so as you make sure you are running the report for the right Virtualnic.
esxcli network vm list -> To get VM’s World ID
esxcli network vm port list -w 10930 --> to get the virtual port id and associated MAC of the virtual NIC
single line to capture packets at virtual switch port along with 2 uplinks connected to it as below.
"pktcap-uw --switchport 12345678 -o /vmfs/volumes/Testesx-Localstorage/VMname.pcap & pktcap-uw --uplink vmnic8 -o /vmfs/volumes/Testesx-Localstorage/Testesx_vmnic0.pcap & pktcap-uw --uplink vmnic9 -o /vmfs/volumes/Testesx-Localstorage/Testesx_vmnic1.pcap"
From above (switport , report storage location & uplinks alone to be changed) running this in a single go , we should have 3 reports VMname.pcap, Testesx_vmnic0.pcap & Testesx_vmnic1.pcap in the local storage of the esx host that is pointed in the command.
Important point: utility may not stop by pressing ctrl+c or ctrl+z so to stop it run the process kill command given in the article.