Steve Borba

My notes, I hope they help you, feel free to comment/add to them

Capture at ESXi Host

With everything becoming virtual, we get more tools, but that means more things to remember. These are my notes for a capture from an ESXi host.


First lets look capture at the uplink, we need to find which port:

esxcfg-nics -l

Which gives us something like this:

Name    PCI          Driver      Link Speed      Duplex MAC Address       MTU    Description
vmnic0  0000:02:00.0 r8168       Up   1000Mbps   Full   00:01:2e:6e:1c:2c 9000   Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller
vmnic1  0000:03:00.0 r8168       Down 0Mbps      Half   00:01:2e:6e:1c:2d 9000   Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller

Now we can see which nics we have and their links state, and here is a capture for both direction and display to the screen

pktcap-uw --uplink vmnic0 --dir 2

I may want to do a single VM and save to a file, lets find which VM/switch ports are here:

net-stats -l

Which gives us something like this:

PortNum          Type SubType SwitchName       MACAddress         ClientName
33554434            4       0 vSwitch0         00:01:2e:6e:1c:2c  vmnic0
33554436            5       9 vSwitch0         00:0c:29:b9:83:b4  PAN1
33554438            5       9 vSwitch0         00:0c:29:ad:31:64  U1804
50331650            4       0 vSwitch1         00:01:2e:6e:1c:2d  vmnic1
50331652            5       9 vSwitch1         00:0c:29:b9:83:be  PAN1
50331654            5       9 vSwitch1         00:0c:29:ad:31:78  U1804
67108866            3       0 Internal         00:01:2e:6e:1c:2d  vmk0
67108867            5       9 Internal         00:0c:29:b9:83:c8  PAN1
67108868            5       9 Internal         00:0c:29:b9:83:aa  PAN1
67108869            5       9 Internal         00:0c:29:b9:83:a0  PAN1
67108870            5       9 Internal         00:0c:29:b9:83:96  PAN1
67108875            5       9 Internal         00:0c:29:ad:31:6e  U1804
83886082            5       9 vwire1           00:0c:29:b9:83:dc  PAN1
83886083            5       9 vwire1           00:0c:29:b9:83:d2  PAN1
100663298           5       9 vwire2           00:0c:29:b9:83:f0  PAN1
100663299           5       9 vwire2           00:0c:29:b9:83:e6  PAN1

Now lets get the packets coming out of a VM and auto stop at 100MB (could also do -c 1000 to stop at 1000 packets, I prefer to have something that keeps us from filling up the disk)

pktcap-uw --switchport 83886082 --dir 0 -o /vmfs/volumes/LocalSSD/PAN1-vwire1.pcap -C 100

Now I can download it and look at it with Wireshark


And use –help to get extra info like using filters, but it may be easier to look at in a browser:

Packet Capture and Trace command usage:
        == Create session to capture packets ==
         pktcap-uw [--capture <capture point>[,capture point]...
              | [--dir <0|input|1|output|2|inputAndOutput>]
                [--stage <0|pre|1|post>] [-K|--kernelside]]
            [--switchport <PortID> | --vmk <vmknic> | --uplink <vmnic> |
               --fcport [fastpathSwitchID.]<PortID> |
               --dvfilter <filter name> |
               --overlay <overlay class name>]
            [--lifID <lif id for vdr>]
            [-f [module name.]<function name>[:offset]]
            [-AFhP] [-p|--port <Socket PORT>]
            [-c|--count <number>] [-s|--snapLen <length>]
            [-G <seconds>]
            [-C <file_size>]
            [-o|--outfile <FILE>] [--console]
            [Flow filter options]

        == Create session to trace packets path ==

     it can trace up to 32 level from pkt allocation and record up to 12 IOChain or portID
         pktcap-uw --trace
            [-AFhP] [-p|--port <Socket PORT>]
            [-c|--count <number>] [-s|--snapLen <length>]
            [-G <seconds>]
            [-C <file_size>]
            [-o|--outfile <FILE>] [--console]
            [Flow filter options]

The command options:
        -p, --port <Socket PORT>
                Specify the port number of vsocket server.
        -G, <seconds>
                Specify the seconds to rotate the outfile.
        -C, <file_size MB>
        -o, --outfile <FILE>
                Specify the file name to dump the packets. If unset,
                output to console by default. If '-', then stdout is used.
        -P, --ng   (only working with '-o')
                Using the pcapng format to dump into the file.
        --console  (by default if without '-o')
                Output the captured packet info to console.
        -s, --snaplen <length>
                Only capture the first <length> packet buffer.
                The minimum snap length is 24 bytes. However, setting
                snaplen to 0 will capture entire packet.
        -c, --count <NUMBER>
                How many count packets to capture.
        -h
                Print this help.
        -A, --availpoints
                List all capture points supported.
        -F
                List all dynamic capture point functions supported.
        -4
                Capture only IPv4 Packet.
        -6
                Capture only IPv6 Packet.
        --capture <capture point>
                Specify the capture point. Use '-A' to get the list.
                If not specified, will select the capture point
                by --dir and --stage setting

The switch port options:
(for Port, Uplink and Etherswitch related capture points)
        --switchport <port ID>
                Specify the switch port by ID
        --fcport [fastpathSwitchID.]<port ID>
                Specify the fastpath port by ID
        --lifID <lif ID>
                Specify the logical interface id of VDR port
        --vmk <vmk NIC>
                Specify the switch port by vmk NIC
        --uplink <vmnic>
                Specify the switch port by vmnic

The capture point auto selection options without --capture:
        --dir <0|input|1|output|2|inputAndOutput>  (for --switchport, --vmk, --uplink, --fcport)
                The direction of flow, with respect to the vswitch:
                0- Input: to vswitch (Default), 1- Output: from vswitch, 2- Input and Output
        --stage <0|pre|1|post>  (for --switchport, --vmk, --uplink, --dvfilter, --overlay)
                The stage at which to capture: 0- Pre: before, 1- Post: after
        --kernelside (for --uplink)
                The capture point is in kernel instead of in driver.
                This option is always true and no longer required.

The capture point options
        -f [module name.]<function name>[[:offset]|[:line number]]
                The function name and the offset/line number in the function.
                The default module name is 'vmkernel'.
                The default offset into the function is 0 (the beginning of the function).
                The line number must start with letter 'L' if it's file related
                line number, or 'F' for function related line number.
                (for 'Dynamic', 'IOChain' and 'TcpipDispatch' capture points)
        --dvfilter <filter name>
                Specify the dvfilter name for DVFilter related points
        --overlay <overlay class name>
                Specify the overlay class name for 'Overlay' capture point
        --pkt-list-param-idx <num>
                Specify the pktList index in function's parameter table, starting from 1
        --pkt-param-idx <num>
                Specify the pkt index in function's parameter table, starting from 1
        --port-id-param-idx <num>
                Specify the portId index in function's parameter table, starting from 1
                --switchport option is required to filter packets by port ID
        --mbuf-param-idx <num>
                Specify the mbuf index in function's parameter table, starting from 1
        --mbuf-array-param-idx <num>
                Specify the mbuf array index in function's parameter table, starting from 1
        --num-mbufs-param-idx <num>
                Specify the mbuf array size index in function's parameter table, starting from 1
        --vprobe-pkt-list <string>
                If function offset is specified in '-f' argument, this is the vprobe
                expression to access the pointer to pktList, e.g. "rax+18"
                If file/function relative line number is specified in '-f' argument,
                this is the C expresstion to access pktList, all variables must start
                with '$' sign, e.g. "$pktListPtr"
        --vprobe-pkt <string>
                Vprobe/C expression to access the pointer to pkt, e.g. "rax+18"
                or "$pkt", see argument --vprobe-pkt-list for details.
        --vprobe-port-id <string>
                Vprobe/C expression to access switch port id, e.g. "rax+18"
                or "$portID", see argument --vprobe-pkt-list for details.
        --vprobe-mbuf <string>
                Vprobe expression to access mbuf, e.g. "rax+18"
                or "$mbufPtr", see argument --vprobe-pkt-list for details.
        --vprobe-mbuf-array <string>
                Vprobe expression to access mbuf array, e.g. "rax+18"
                or "$mbufArray", see argument --vprobe-pkt-list for details.
        --vprobe-num-mbufs <string>
                Vprobe expression to access number of mbufs in the array, e.g. "rax+18"
                or "$numMbufs", see argument --vprobe-pkt-list for details.
        --vprobe-symdbs <directory>
                The parent directory of the symbol database.
        --no-vprobe
                Don't emit vprobe script to assist packet capture, the capture
                function itself has dynamic capture point inserted
        --compile-only
                Print the vprobe script to standard output and exit
        --script <FILE>
                Start vprobe with the input .emt file to filter packets

Flow filter options, it will be applied when set:
        --srcmac <xx:xx:xx:xx:xx>
                The Ethernet source MAC address.
        --dstmac <xx:xx:xx:xx:xx>
                The Ethernet destination MAC address.
        --mac <xx:xx:xx:xx:xx>
                The Ethernet MAC address(src or dst).
        --ethtype 0x<ETHTYPE>
                The Ethernet type. HEX format.
        --vlan <VLANID>
                The Ethernet VLAN ID, one of 0-4095.
        --srcip <x.x.x.x[/<range>]>
                The source IPv4/IPv6 address.
        --dstip <x.x.x.x[/<range>]>
                The destination IPv4/IPv6 address.
        --ip <x.x.x.x>
                The IPv4/IPv6 address(src or dst).
        --proto 0x<IPPROTYPE>
                The IPv4/IPv6 protocol.
        --srcport <SRCPORT>
                The TCP source port.
        --dstport <DSTPORT>
                The TCP destination port.
        --tcpport <PORT>
                The TCP port(src or dst).
        --srcudpport <SRCPORT>
                The UDP source port.
        --dstudpport <DSTPORT>
                The UDP destination port.
        --udpport <PORT>
                The UDP port(src or dst).
        --vni <vni>
                The VNI of flow, one of 0-16777215.
        --vxlan <vxlan id>
                The vxlan id of flow. This option is depreciated, use 'vni' instead.

and this is the list for –capture

Supported capture points:
        1: Dynamic -- The dynamic inserted runtime capture point.
        2: UplinkRcv -- Function to Rx packets from uplink at driver side (obsoleted).
        3: UplinkSnd -- Function to Tx packets on uplink at driver side (obsoleted).
        4: VnicTx -- Function in vnic backend to Tx packets from guest
        5: VnicRx -- Function in vnic backend to Rx packets to guest
        6: PortInput -- Port_Input function of any given port
        7: IOChain -- The virtual switch port iochain capture point.
        8: EtherswitchDispath -- Function that receives packets for switch
        9: EtherswitchOutput -- Function that sends out packets, from switch
        10: PortOutput -- Port_Output function of any given port
        11: TcpipDispatch -- Tcpip Dispatch function
        12: PreDVFilter -- Before DVFIlter capture point
        13: PostDVFilter -- After DVFilter capture point
        14: Drop -- Dropped Packets capture point
        15: VdrRxLeaf -- The Leaf Rx IOChain for VDR
        16: VdrTxLeaf -- The Leaf Tx IOChain for VDR
        17: VdrRxTerminal -- Terminal Rx IOChain for VDR
        18: VdrTxTerminal -- Terminal Tx IOChain for VDR
        19: PktFree -- Packets freeing point
        20: TcpipRx -- TcpipRX function
        21: TcpipTx -- TcpipTX function
        22: UplinkRcvKernel -- The function that receives packets from uplink dev at kernel side
        23: UplinkSndKernel -- Function to Tx packets on uplink at kernel side
        24: PreOverlayInput -- Before overlay input callback
        25: PostOverlayInput -- After overlay input callback
        26: PreOverlayOutput -- Before overlay output callback
        27: PostOverlayOutput -- After overlay output callback
        28: EnsPortReaderRx -- Read mbufs from an ENS port
        29: EnsPortWriterTx -- Write mbufs to an ENS port
        30: EnsPortWriterQueue -- Queue mbufs to an ENS port
        31: EnsPortWriterFlush -- Flush mbufs on an ENS port

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>