Monthly Archives: December 2013

Sniffing Packets on VMware ESXi 5.1 and Viewing the Capture in Wireshark

01 Sunday Dec 2013

Posted by in VMware, Wireshark

Leave a comment

Tags

,

So you need to sniff packets on ESXi 5x for troubleshooting purposes and you are not sure how to get it done. Hopefully this post will assist you. You can access the ESXI CLI from the console or via Putty/xterm by enabling SSH on the host. I prefer SSH access because the buffers in Putty/xterm make life easier.

You can use Wireshark to read the pcap files. Download and install for your OS in this way:
Windows: http://www.wireshark.org/download.html

Debian based Linux:
> apt-get install wireshark

RPM based Linux:
> yum install wireshark

1) Enable SSH on the host.
a) In vCenter, select the Host > Configuration tab > Security Profile > in the Security Profile section click Properties.
b) Scroll down to SSH and select it, then click Options > Start > OK > OK.
c) Launch an xterm or PuTTY session to the ESXi host and login as root.

2) Determine what VMKernel Ports you have on the host.
> esxcfg-vmknic -l | grep vmk
vmk0  Management Network  IPv4 10.10.10.13 255.255.255.0  10.10.10.255  00:1b:78:e0:2f:ea 1500 65535 true STATIC
vmk1  vMotion and iSCSI   IPv4 10.10.10.22 255.255.255.0  10.10.10.255  00:50:56:6f:ba:f2 1500 65535 true STATIC

2) In this case we have two.  Your production systems should have more.
vmk0 – ESXi management network. The default VMKernel Port created when you install ESXi.
vmk1 – vMotion and iSCSI. This is one I created for my LAB used for vMotion and iSCSI traffic.

3) At its most basic, specify the vmk port number and you see the packets fly by.
> tcpdump-uw -i vmk0
a) to stop, simply press CTRL+C.

Three things you need to know about tcpdump-uw:
a) tcpdump-uw only captures the first 68 bytes of data from a packet. To capture the full packet, use the -s option with a value of 1514 for normal MTU or 9014 for jumbo frames.
b) Also, tcpdump-uw can capture a max of 8138 bytes because of buffer constraints. The -B 9 option increases the buffer allowing the capture of up to 9014 bytes.
c) Captures on the vmkernel interface (vmk) only captures network traffic traversing to and from the vmkernel on that interface. It doesnt capture traffic moving across the Virtual Switch.
d) There are quite a few option for so play around with them.
> tcpdump-uw -?
tcpdump-uw version 4.0.0vmw
libpcap version 1.0.0
Usage: tcpdump-uw [-aAdDefIKlLnNOpqRStuUvxX] [ -B size ] [ -c count ]
[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
[ -i interface ] [ -M secret ] [ -r file ]
[ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ]
[ -y datalinktype ] [ -z command ] [ -Z user ]
[ expression ]

For example, for default MTU:
> tcpdump-uw -i vmk0 -s 1514
For Jumbo Frames:
> tcpdump-uw -i vmk0 -s 9014 -B 9

4) A few examples to get you started.
a) Dump packets on vmk0 with default MTU very verbose output showing only DNS packets (port 54).
> tcpdump-uw -i vmk0 -s 1514 -vvv port 53

b) Same as above except show NTP packets.
> tcpdump-uw -i vmk0 -s 1514 -vvv port 123

c) Is vCenter communicating properly with the ESXi host?  
> tcpdump-uw -i vmk0 -s 1514 -vvv port 902

d) Filter by transport type – TCP or UDP.
> tcpdump-uw -i vmk0 -s 1514 udp
> tcpdump-uw -i vmk0 -s 1514 tcp

e) Filter for ARP packets.
> tcpdump-uw -i vmk0 -s 1514 udp | grep ARP

5) You can dump the traffic to a pcap file and open it with Wireshark. Before you start the capture, change directories so you can easily recover the pcap file from the datastore in vCenter.

> cd /vmfs/volumes/datastore1
> tcpdump-uw -i vmk0 -s 1514 -w esxihost01.pcap
> When ready to stop capturing packets, press CTRL+C
a) When done, in vCenter select the ESXi host you were sniffing packets on, then click the Configuration tab > Storage.
b) Right-click datastore1 (or the datastore were your pcap file is) and select Browse datastore.
c) Right-click the esxihost01.pcap file > select Download, select a location and click OK.
d) Double-click the file and it will open in Wireshark.esxipacketsniff