Note: In vSphere 6.5 and earlier, specify the direction of traffic using --dir 0 for inbound and --dir 1 for outbound. You can’t specify traffic going both ways at the same time. However, in vSphere 6.7 and later, you can specify the direction of traffic using --dir 0 for inbound, --dir 1 for outbound, or --dir 2 for both.
Steps:
- Find out the numerical id of the specific switch port. To do this Run “net-stats -l” in ESXi hosts SSH console and the output is this:
- And then to get the details of the port of your VM Run this esxcli network vm port list -w XX
- To get bidirectional traffic. There is a selector switch in this commend “–dir 1” that captures input packets and “–dir 0” that captures output packets and what we can do this by using the good old “&” run two captures in parallel capturing both directions into separate files like this:
Inbound Capture:
pktcap-uw --switchport 50331698 --dir 0 -o /tmp/50331698_in.pcap
Outbound Capture:
pktcap-uw --switchport 50331657 --dir 1 -o /tmp/CAPTURE.pcap
Note: In vSphere 6.7 and later, you can specify the direction of traffic using --dir 0 for inbound, --dir 1 for outbound, or --dir 2 for both.
Both In and Out Capture:
pktcap-uw --switchport 33554495 --dir 2 -o /tmp/33554495_InandOut.pcap
- The above will captures the Inbound/Outbound in the background. To stop this capture, Run this lsof |grep pktcap-uw |awk '{print $1}'| sort -u or using this great trick by parsing all kill processes from lsof to the kill command using awk: kill $(lsof |grep pktcap-uw |awk '{print $1}'| sort -u) or Press: Ctrl + C to cancel the capture
- The result is that you will have two pcap files, one for each direction, but how to put these together for a coherent capture file?
- To Merging two unidirectional pcap files to one bidirectional >> Actually since both pcap files were captured on one system (with one internal clock), the pcap files have a synchronized timestamp marking packets, therefore a simple merge with utility called “mergecap“, which is part of wireshark installation on both linux and windows, is all that we need.
Windows mergecap example: Go to this path C:\Program Files\Wireshark and run the below one liner
C:\Program Files\Wireshark>mergecap.exe -w C:\Users\havrila\Downloads\50331698_merged.pcap C:\Users\havrila\Downloads\50331698_in.pcap C:\Users\havrila\Downloads\50331698_out.pcap
And that’s it, you can now open 50331698_merged.pcap in wireshark and see your ESX VMs traffic as a normal bidirection traffic capture.
PS: If you wonder about timestamps inside pcap files, or in the future would have two captured files from two systems that do not have clocks synchronized and would want to merge files like that, have a look on capinfos and editcap utilities from wireshark. You can offset timing with them very easily (editcap -t <offset> A.pcap B.pcap).
Reference VMware KB https://kb.vmware.com/s/article/2051814
Comments