Packet capture on ESXi host

Question

I have an issue I am trying to track down and I believe the problem is with physical networking hardware. I have read the VMWare documentation on the pktcap-uw command and I know I can use it to dump the traffic to a file which can then be viewed with Wireshark, but the pcaps I am getting are a little weird.

Looking at the documentation, I want to see traffic only between two IP addresses (IP A and IP B) on port 80 and I can use the --ip switch, but if I have --ip A --ip B, is that a boolean AND or a boolean OR.

tcpdump allows you to specify OR or AND and use parenthesis to do a full boolean expression. For pktcap-uw there is also --dstip and --srcip, but if you use the tcpdump equivelant, you would normally get only half the conversation.

What would be the correct syntax?

Just do a port mirror on the switch ? And use wireshark after — yagmoth555, Sep 18 '15 at 22:42
That equipment is outside of my perview. Network team tracked it down to an IP conflict though. — James Shewey, Sep 19 '15 at 00:13

ben snarker · Answer 1 · 2018-08-11T18:02:57.097

I just tested with pktcap-uw.

if I have --ip A --ip B, is that a boolean AND or a boolean OR.

When you specify --ip two times, only the last specified option is used.

If you specify different types of options, eg. --ip and --tcpport, they are ANDed.

There are some VProbe options to pktcap-uw. My best guess for going forward would be that you may be able to manually compile a VProbe script that filters the traffic that you want and feed it to pktcap-uw.

Found a git repository with a VProbe toolkit here: https://github.com/vmware/vprobe-toolkit/

Packet capture on ESXi host

1 Answers1