VMware Cloud Community
maniyuvaraj
Enthusiast
Enthusiast
‎12-04-2012 08:20 PM

Need to Capture Network Traffic for VM

I need to capture all network related traffic for a VM and I used following command for the same, however it capturing only ESX traffic.

I tried this command but it is capturing ESX Traffic

tcpdump-uw -i vmk0 -s 1514

Thank you…

Yuvaraj.M

Reply
0 Kudos
4 Replies
MKguy
Virtuoso
Virtuoso
‎12-05-2012 01:22 AM

You are capturing traffic on a vmkernel interface (vmk0). Only ESX(i) host traffic flows through this interface.

To capture traffic from a particular VM outside of the guest OS you need to use a separate VM to capture the traffic on.

If the source-VM is connected to a standard vSwitch, you need to enable promiscuous mode on the port group of your sniffer-VM (create a new port group with the same VLAN as the source VM).

Refer to these articles explaining the setup in more detail:

http://vmetc.com/2009/03/12/virtual-machine-sniffer-on-esx-hosts/

http://www.petri.co.il/using-packet-analyzer-on-virtual-network.htm

If your source-VM is connected to a distributed vSwitch (vSphere 5+), you can use the builtin Port Mirroring feature to mirror traffic to your sniffer-VM:

http://blogs.vmware.com/vsphere/2011/08/vsphere-5-new-networking-features-port-mirroring.html

-- http://alpacapowered.wordpress.com
Reply
0 Kudos
maniyuvaraj
Enthusiast
Enthusiast
‎12-06-2012 03:32 AM

Hi MK,

Thanks for the information, sorry unfortunately I did not mention the infrastructure. Please find the details

Actually the VM is connected in Nexus 1000v and it is vSphere 4.1 Enviroment.

Physical Blade Cisco UCS B200 M2.

Please let us know for this infrasturcture how to monitor.

Thanks with regards,

Yuvaraj.M

Reply
0 Kudos
MarekZdrojewski
Expert
Expert
‎12-06-2012 05:43 AM

Hi,

Check this blog, it explains the concept and procedure quite well Smiley Happy

http://blogs.vmware.com/vsphere/2009/03/down-and-dirty-network-troubleshooting-using-traces.html

Hope this helps,

Regards.

| Blog: https://defaultreasoning.com | Twitter: @MarekDotZ |
Reply
maniyuvaraj
Enthusiast
Enthusiast
‎12-07-2012 07:42 PM

Hi Markek.Z,

Thanks for the information & your timing....

I reviewed your link it is useful however not in my scenario because you have mentioned Standard Switch. As I mentioned in my pervious comment that the virtual machine is connected with Nexus 1000v, since it is the production VM I can't create standard switch and migrate to that...

We found the following way to capture the traffic.. Please find the details

We kept Nexus 1000v in middle and selected source machine interface as “Production” and destination interface as one of the test machine.

We kept the test machine and Prod Machine in same VLAN and Installed Wireshark and captured the traffic.

Command used in Nexus 1000v as follows....

n1000v# config t

n1000v(config)# no monitor session 1

n1000v(config)# monitor session 1

n1000v(config-monitor)# description session1

n1000v(config-monitor)# source interface <veth number> both

n1000v(config-monitor)# filter <VLAN ID>

n1000v(config-monitor)# destination interface Vethernet <Test Machine Ethernet ID>

n1000v(config-monitor)#no shut

n1000v(config-monitor)#exit

Reply