My plan is to blog more about solutions and how to configure them and show how the packets look like. As I haven’t plenty of hardware I will use VMWare ESXi to simulate most of the stuff using HPE VSR routers. Therefore I was looking for a way to capture traffic of a specific VM or VM network adapter and found something. As it is very helpful for me, I will share this with the community.
Traffic Capture with VMWare ESXi
https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2051814The interesting part for me is to capture traffic from specific vswitch port to get the traffic for this virtual machine, to be able to analyze the protocols. This can be achieved by using the switchport option for the pktcap-uw command. This option requires the switchport number, a virtual machine nic is connected to as a parameter. Unfortunately, this information is not available in the GUI and you have to use another cli command:
The command which is used, was “net-stats” with the “-l” option. This will get you the output above, where the first column represents the port number. The port number will only be displayed for running virtual machines. For machines, which are not running, there will be no entry. If your virtual machine has more than one nic, you can use the mac address to match the correct port to listen on.
To start the traffic capture, I will use the port number and start the capture process:
As you can see above, the capture captured some packets and printed them to the console. If you are very good in reading hex code, this is what you want, but if you like the whireshark interface, you can also dump the output to a whireshark copatible file by using another option.
The “-o” option will allow you to specify a file as the destination for the capture. This file can than be opened with wireshark. Here is the example:
As you can see, the output was now dumped to a file, which can be downloaded from the ESXi server and than opened with wireshark. To make it simpler, you could also mount an external share with the ESXi server and store the dump there.
You can also run multiple capture sessions by using the “&” sign between multiple versions of the capture command. This is very helpful if you would like to capture on both ends of the connection, assuming that both ends are on the same ESXi server.
The command would look like this:
Make sure to kill the capturing with CTRL-C multiple times to make sure it is really killed. To check if there is a capture still running, you can use this command:
To kill captures still running, use this command:
This will kill all capture sessions.
From my point of view, this is really helpful to get traces from specific virtual machines. I will use this to provide insight of the traffic flow of the solutions, I will write about in future posts.
If you have any questions please use the comment function below. If you would like to provide feedback please contact me or use the comment function as well.