When I go to capture the packets in 6.4.4 - it says there is filtering. But if I go to the drop down,
rather than seeing an opportunity to enter boolean expressions to limit the captured traffic
I am seeing these known nic-whatever entries. Is there a way I can use pcap to just
see traffic destined for a specific VM?
If you want to perform packet capture for a VM or specific vNIC of a VM. The best way is to login into ESXi host where the VM resides and identify the switchport connected to VM using command "net-stats -l" and then use ESXI "pktcap-uw" to capture the packets.
There are lot of options under ESXi pktcap-uw based on that you can capture the packets of your interest.
The selection of the filter drop-down field depends on your firewall rules applied on the ESXi host.
But if you create a packet capture session you have to select an ESXi host and either an adapter or a filter. If you select as adapter "vNIC", you can select a specific vNIC of a VM.
So, the packet capturing will only be applied on this VM vNIC. That should exactly accomplish what you want.
Yes - when I do a pcap I select the ESXi host on which the VM resides, then I choose the VM and the VNIC.
But what I'm not getting is that normally - say with wireshark or tcpdump - I have the option to filter the interesting
traffic when I execute the pcap.
For example: tcpdump 'dst 10.0.2.4 and (dst port 3389 or 22)'
This would limit the interesting traffic to flows destined for 10.0.2.4 and port 3389 or port 22.
*That's*what I'd like to be able to do with NSX pcap function. But instead it's just giving me
a list of vnic in the filter drop down. I can't figure out what they're doing there.
The Packet Capturing under NSX is not as mature and simple as you know it from tcpdump or Wireshark.
When you create a capture session, you can enter a source and destination IP in the Advanced tab. But complex filter rules are not possible.
Most of the time it is easier not to apply a filter, download the capture file after the session was captured and import it into wireshark or tcpdump for further analysis.
But you can also take a look at the pktcap-uw tool on the ESXi console:
Capturing and Tracing Network Packets by Using the pktcap-uw Utility
If you want to perform packet capture for a VM or specific vNIC of a VM. The best way is to login into ESXi host where the VM resides and identify the switchport connected to VM using command "net-stats -l" and then use ESXI "pktcap-uw" to capture the packets.
There are lot of options under ESXi pktcap-uw based on that you can capture the packets of your interest.
But the problem there is that the pcaps are limited to 20000 lines or 20MB. So when you're trying to
troubleshoot an intermittent issue your pcap will fill up before you capture the bad stuff in the act.
This sounds like the best way to go. The pcap in the GUI is just so close and convenient!
In ESXi pktcap-uw command you can redirect the output to datastore. This will not consume your local datastore and there will not be any storage problem arises.