Use the pktcap-uw utility to inspect the contents of packets while they traverse the network stack on an ESXi host.
pktcap-uw Syntax for Capturing Packets
The pktcap-uw command has the following syntax for capturing packets at a certain place in the network stack:
pktcap-uw switch_port_arguments capture_point_options filter_options output_control_options
Argument Group | Argument | Description |
---|---|---|
switch_port_arguments | --uplink vmnicX |
Capture packets that are related to a physical adapter. You can combine the --uplink and --capture options for monitoring packets at a certain place in the path between the physical adapter and the virtual switch. |
--vmk vmkX |
Capture packets that are related to a VMKernel adapter. You can combine the vmk and --capture options for monitoring packets at a certain place in the path between the VMkernel adapter and the virtual switch. |
|
--switchport {vmxnet3_port_ID | vmkernel_adapter_port_ID} |
Capture packets that are related to a VMXNET3 virtual machine adapter or to a VMkernel adapter that is connected to a particular virtual switch port. You can view the ID of the port in the network panel of the esxtop utility. You can combine the switchport and capture options for monitoring packets at a certain place in the path between the VMXNET3 adapter or VMkernel adapter and the virtual switch. See How to Capture Packets for a VMXNET3 Virtual Machine Adapter. |
|
--lifID lif_ID |
Capture packets that are related to the logical interface of a distributed router. See the VMware NSX documentation. |
|
capture_point_options | --capture capture_point |
Capture packets at a particular place in the network stack. For example, you can monitor packets right after they arrive from a physical adapter. |
--dir {0|1|2} | Capture packets according to the direction of the flow with regard to the virtual switch. 0 stands for incoming traffic, 1 for outgoing traffic, and 2 for bidirectional traffic. By default, the pktcap-uw utility captures ingress traffic. Use the --dir option together with the --uplink, --vmk, or --switchport option. |
|
--stage {0|1} | Capture the packet closer to its source or to its destination. Use this option to examine how a package changes while it traverses the points in the stack. 0 stands for traffic closer to source and 1 for traffic closer to destination. Use the --stage option together with the --uplink, --vmk , --switchport, or --dvfilter option. |
|
--dvfilter filter_name --capture PreDVFilter|PostDVFilter |
Capture packets before or after a vSphere Network Appliance (DVFilter) intercepts them. See How to Capture Packets at DVFilter Level. | |
-A | --availpoints | View all capture points that the pktcap-uw utility supports. | |
For details about the capture points of the pktcap-uw utility, see Capture Points of the pktcap-uw Utility. |
||
filter_options | Filter captured packets according to source or destination address, VLAN ID, VXLAN ID, Layer 3 protocol, and TCP port. See pktcap-uw Options for Filtering Packets. | |
output_control_options | Save the contents of a packet to a file, capture only a number of packets, and capture a number of bytes at the beginning of packets, and so on. See pktcap-uw Options for Output Control. |
The vertical bars | represent alternative values, and the curly brackets {} used with vertical bars specify a list of choices for an argument or option.