princox
Enthusiast
Enthusiast

Capture packet from VTEP via tcpdump-uw

Hi, Everyone

As I mentioned in the title, I'd like to capture packets from vmk3(VTEP interface), however it could not be possible as below;

So that I found some commmand and this server has not listed up in "tcpdump-uw -D" command as below.

What I try to do is, capturing packets for vxlan. (including Outer/Inner IP/MAC).

Would you give me some help? please

Thanks alot!

[root@esxcomp-01a:/tmp/jeff] tcpdump-uw -i vmk3 -w vxlan_tcpdump.pcap

tcpdump-uw: SIOCGIFHWADDR: Invalid argument

[root@esxcomp-01a:/tmp/jeff] tcpdump-uw -D

1.vmk0

2.vmk1

3.lo0

[root@esxcomp-01a:/tmp/jeff]

[root@esxcomp-01a:/tmp/jeff] esxcli network ip interface ipv4 get

Name  IPv4 Address    IPv4 Netmask   IPv4 Broadcast   Address Type  DHCP DNS

----  --------------  -------------  ---------------  ------------  --------

vmk0  192.168.120.51  255.255.255.0  192.168.120.255  STATIC           false

vmk1  10.20.20.51     255.255.255.0  10.20.20.255     STATIC           false

vmk3  192.168.110.83  255.255.255.0  192.168.110.255  STATIC           false

vmk2  192.168.121.51  255.255.255.0  192.168.121.255  STATIC           false

Tags (2)
7 Replies
hansroeder
Enthusiast
Enthusiast

Check out this link: http://blog.ipcraft.net/packet-capture-nsx-troubleshooting-pktcap-uw/

I think you're looking for the pktcap-uw command. If you use the right parameters, you can capture packets at pretty much every point in the traffic flow (encapsulated or not).

princox
Enthusiast
Enthusiast

Hi, Hans

Thanks for having an interest in this post.

And I looked at the link what you recommended but it does not relate to my question.

What I am looking for is why "vmk3" can not be captured by tcpdump-uw.

Thru 'tcpdump-uw -D', there is no vmk3 interface listed up....

Thanks alot

0 Kudos
NXS_Devops
Contributor
Contributor

Probably, you can capture only switchport or physical adapter.

Not the kernel interface.

0 Kudos
bayupw
Leadership
Leadership

Hi, you might want to use pktcap-uw, have you try pktcap-uw?

Using the pktcap-uw tool in ESXi 5.5 and later (2051814) | VMware KB

The pktcap-uw tool is an enhanced packet capture and analysis tool that can be used in place of the legacy tcpdump-uw tool. The pktcap-uw tool is included by default in ESXi 5.5 and later versions.

See this document NSX-v Operations Guide, rev 1.5 page 60

pastedImage_3.png

To capture packet sent by vmkernel port:

pktcap-uw --vmk <vmknic> -o capture.pcap

To display the pcap

tcpdump-uw -enr capture.pcap

Bayu Wibowo | VCIX6-DCV/NV Author of VMware NSX Cookbook http://bit.ly/NSXCookbook https://github.com/bayupw/PowerNSX-Scripts https://nz.linkedin.com/in/bayupw | twitter @bayupw
bayupw
Leadership
Leadership

I can't find any documentation on this but VXLAN has separate TCP/IP stack and the tcpdump-uw -D probably can only list the default TCP/IP stack

Bayu Wibowo | VCIX6-DCV/NV Author of VMware NSX Cookbook http://bit.ly/NSXCookbook https://github.com/bayupw/PowerNSX-Scripts https://nz.linkedin.com/in/bayupw | twitter @bayupw
brandon9neill
Enthusiast
Enthusiast

This is the correct answer.  tcpdump-uw only works in the default TCP/IP stack.  While vmk3 is in the vxlan TCP/IP stack.

0 Kudos
tanurkov
Enthusiast
Enthusiast

with pktcap-uw  you can capture on VXLAN before encapsulation and after (on wire)

for this you can use stages and directions or Uplink recieve 

also you can identify packet capture points where packets can be captured

you can use this article.

Capturing Packets by Using the pktcap-uw Utility

if need more examples I can provide my  hand book with them for special need.

I advise to use ESXi for capturing for any kind of packet manipulations.

Regards Dmitri

0 Kudos