vmmed1
Enthusiast
Enthusiast

In NSX 6.4.4 can I filter a packet capture?

Jump to solution

When I go to capture the packets in 6.4.4 - it says there is filtering. But if I go to the drop down,

rather than seeing an opportunity to enter boolean expressions to limit the captured traffic

I am seeing these known nic-whatever entries. Is there a way I can use pcap to just

see traffic destined for a specific VM?

pastedImage_0.png

Tags (1)
0 Kudos
1 Solution

Accepted Solutions
RShankar22
VMware Employee
VMware Employee

If you want to perform packet capture for a VM or specific vNIC of a VM. The best way is to login into ESXi host where the VM resides and identify the switchport connected to VM using command "net-stats -l" and then use ESXI "pktcap-uw" to capture the packets.

There are lot of options under ESXi pktcap-uw based on that you can capture the packets of your interest.

View solution in original post

0 Kudos
7 Replies
sk84
Expert
Expert

The selection of the filter drop-down field depends on your firewall rules applied on the ESXi host.

But if you create a packet capture session you have to select an ESXi host and either an adapter or a filter. If you select as adapter "vNIC", you can select a specific vNIC of a VM.

So, the packet capturing will only be applied on this VM vNIC. That should exactly accomplish what you want.

--- Regards, Sebastian VCP6.5-DCV // VCP7-CMA // vSAN 2017 Specialist Please mark this answer as 'helpful' or 'correct' if you think your question has been answered correctly.
0 Kudos
vmmed1
Enthusiast
Enthusiast

Yes - when I do a pcap I select the ESXi host on which the VM resides, then I choose the VM and the VNIC.

But what I'm not getting is that normally - say with wireshark or tcpdump - I have the option to filter the interesting

traffic when I execute the pcap.

For example:  tcpdump 'dst 10.0.2.4 and (dst port 3389 or 22)'

This would limit the interesting traffic to flows destined for 10.0.2.4 and port 3389 or port 22.

*That's*what I'd like to be able to do with NSX pcap function. But instead it's just giving me

a list of vnic in the filter drop down. I can't figure out what they're doing there.

0 Kudos
sk84
Expert
Expert

The Packet Capturing under NSX is not as mature and simple as you know it from tcpdump or Wireshark.

When you create a capture session, you can enter a source and destination IP in the Advanced tab. But complex filter rules are not possible.

Most of the time it is easier not to apply a filter, download the capture file after the session was captured and import it into wireshark or tcpdump for further analysis.

But you can also take a look at the pktcap-uw tool on the ESXi console:

Capturing and Tracing Network Packets by Using the pktcap-uw Utility

--- Regards, Sebastian VCP6.5-DCV // VCP7-CMA // vSAN 2017 Specialist Please mark this answer as 'helpful' or 'correct' if you think your question has been answered correctly.
0 Kudos
RShankar22
VMware Employee
VMware Employee

If you want to perform packet capture for a VM or specific vNIC of a VM. The best way is to login into ESXi host where the VM resides and identify the switchport connected to VM using command "net-stats -l" and then use ESXI "pktcap-uw" to capture the packets.

There are lot of options under ESXi pktcap-uw based on that you can capture the packets of your interest.

View solution in original post

0 Kudos
vmmed1
Enthusiast
Enthusiast

But the problem there is that the pcaps are limited to 20000 lines or 20MB. So when you're trying to

troubleshoot an intermittent issue your pcap will fill up before you capture the bad stuff in the act.

0 Kudos
vmmed1
Enthusiast
Enthusiast

This sounds like the best way to go. The pcap in the GUI is just so close and convenient!

0 Kudos
RShankar22
VMware Employee
VMware Employee

In ESXi pktcap-uw command you can redirect the output to datastore. This will not consume your local datastore and there will not be any storage problem arises.