Packet Capturing in ESXi via Cli

Posted on by

I’m going to walk you through capturing traffic on a specific port of a dvSwitch or NSX segment using the ESXi CLI.

Start by enabling SSH on the ESXi host and connecting to it.

Then use the command net-stats -l to display all ports available on that host.

[root@esxi02:~] net-stats -l
PortNum          Type SubType SwitchName       MACAddress         ClientName
134217769           3       0 DvsPortset-2     00:50:56:68:a9:c0  vmk12
134217770           3       0 DvsPortset-2     00:50:56:66:69:90  vmk13
134217772           3       0 DvsPortset-2     00:50:56:6a:ab:f9  vmk50
134217773           0       0 DvsPortset-2     02:50:56:56:44:52  vdr-vdrPort
134217774           5       9 DvsPortset-2     00:50:56:83:a1:fd  cnfc1-test-controlplane-xfl2g-mr2sq.eth0
2315255841          4       0 DvsPortset-3     0a:91:68:10:00:87  vmnic9
2315255843          4       0 DvsPortset-3     0a:91:68:10:00:86  vmnic8
167772198           3       0 DvsPortset-3     00:50:56:68:d1:15  vmk1
167772203           3       0 DvsPortset-3     00:50:56:65:13:15  vmk2

You’ll find the port number in the first column. In this example, the goal is to capture all traffic related to the VM cnfc1.

 pktcap-uw --switchport  134217774  --dir 2 -o - | tcpdump-uw -enr -

The the result would be like :

[root@esxi02:~] pktcap-uw --switchport  134217774  --dir 2 -o - | tcpdump-uw -enr -
The switch port id is 0x0800002e.
pktcap: The output file is -.
pktcap: No server port specifed, select 57835 as the port.
pktcap: Local CID 2.
pktcap: Listen on port 57835.
pktcap: Main thread: 895981374656.
pktcap: Dump Thread: 895981905664.
pktcap: Recv Thread: 895982434048.
pktcap: Accept...
pktcap: The output file format is pcapng.
pktcap: Vsock connection from port 1032 cid 2.
reading from file -, link-type EN10MB (Ethernet), snapshot length 65535
11:53:04.087845 00:50:56:83:a1:fd > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 192.168.0.10 (ff:ff:ff:ff:ff:ff) tell 192.168.0.10, length 46
11:53:07.123779 00:50:56:83:a1:fd > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Reply 192.168.0.10 is-at 00:50:56:83:a1:fd, length 46
11:53:10.163850 00:50:56:83:a1:fd > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 192.168.0.10 (ff:ff:ff:ff:ff:ff) tell 192.168.0.10, length 46
11:53:13.203839 00:50:56:83:a1:fd > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Reply 192.168.0.10 is-at 00:50:56:83:a1:fd, length 46
11:53:16.251819 00:50:56:83:a1:fd > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 192.168.0.10 (ff:ff:ff:ff:ff:ff) tell 192.168.0.10, length 46

Leave a Reply

Your email address will not be published. Required fields are marked *

41 − = 37