Performing a network trace on an ESXi host can help diagnose network-related issues by capturing and analyzing network traffic. The process involves using the command-line interface (CLI) to capture packets and then analyzing these packets using tools like Wireshark.
You might have encountered a situation where your In-House Networking Team is giving you a hard time accepting that there are no issues on their end and since you have a problem with the ESXi Host, you are stuck and need help capturing network traces for them to review.
In this article, we are going to learn exactly how to make that happen.
First, we need to understand exactly where we need to capture the network traces. To simplify this we can have this in Two Ways:
Investigating Packet drops for a Virtual Machine:
As we know a Virtual Machine that is running on an ESXi host will have some connectivity with the Physical Network Interfaces.
- To find that connectivity ID or in VMware’s term Switch Port Number we can follow the below steps:
- Log in to the ESXi host where the VM is running and gather all the below information,
esxcli network vm list | grep -i VM_Name
esxcli network vm port list -w World_ID
- World_ID could be found from the first command.
- Once you have captured the switch Port Number to which the VM is connected you can run the below command to capture the Incoming and Outgoing Traffic.
Please note that you will have to run it separately
- The switchport_number for the below commands can be obtained from the second command.
- Open to SSH session to the same host and run the below command by replacing the right parameters.
pktcap-uw --switchport switchport_number --dir 1 -o /vmfs/volumes/datastore/switchportnumber_dir1.pcap
pktcap-uw --switchport switchport_number --dir 0 -o /vmfs/volumes/datastore/switchportnumber_dir0.pcap - This would capture all the inbound and outbound packets and save it to /vmfs/volumes/datastore/
- Open to SSH session to the same host and run the below command by replacing the right parameters.
Investigating Packet drops for a Physical Network Adapter:
Packet capture on pnic (assumed as vmnic0, modify accordingly)
pktcap-uw --uplink vmnicX --dir 0 -o /vmfs/volumes/datastore/vmnicX_dir0.pcap
pktcap-uw --uplink vmnicX --dir 1 -o /vmfs/volumes/datastore/vmnicX_dir1.pcap
Investigating Packet drops for a vNic:
Packet capture on vNic:
- Run net-stats -l and find the problematic VM’s switchport.
For e.g. 33554927 is the switchport used by VM1
PortNum Type SubType SwitchName MACAddress ClientName
33554927 5 7 DvsPortset-0 00:50:56:8a:24:c8 VM1.eth0
- Run the command:
pktcap-uw ---switchport 33554927 -o -dir 0 -o /vmfs/volumes/datastore/vnicX_dir0.pcap
pktcap-uw ---switchport 33554927 -o -dir 1 -o /vmfs/volumes/datastore/vnicX_dir0.pcap
Lab Test:
- Pinged the vCenter IP: 192.168.50.10 from ESXi Host 192.168.1.2
- On DIR-1 We can see the response going to the Destination IP 50.10
- To check the Response when we check the DIR-0 Pcap we can see below:
- There is a reply to the Ping which we have initiated with the vCenter Server.
