How do I run a packet capture on ESX ?

In order to run a tcpdump on ESX you will need to add a service console to your virtual switch. This is achieved via the following steps :

Set the Virtual Switch to Promiscuous

  1. Within the vShpere Client go to Configuration | Networking.
  2. Choose the virtual switch that your would like to capture the traffic on.
  3. On the virtual switch click Properties.
  4. Under the Ports Tab choose your vSwitch and select Edit.
  5. Within the Security Tab set Promiscuous mode to Accept.

Add a Service Console

  1. Still within the virtual switch properties :
  2. Click Add (under the port tab)
  3. Select Service Console, click Next
  4. Add a network label and add to the VLAN ID 4095 (This will allow you to see all traffic including VLAN tagged packets)
  5. Click Next and then Finish

You should now see under your virtual switch the Service Console Port. This will include a new virtual switch interface (vswif).
Now log into the ESX box via SSH and run a tcpdump against this vswitch interface. You will now see the traffic. Below is a small example :

[root@ESX1 root]# tcpdump -ni vswif1
tcpdump: listening on vswif1
13:19:46.790220 802.1Q vlan#20 P0 0.0.0.0.8116 > 10.1.20.0.8116: udp 36
13:19:46.791766 802.1Q vlan#10 P0 0.0.0.0.8116 > 10.1.20.0.8116: udp 36

Rick Donato

Want to become a VMware expert?

Here is our hand-picked selection of the best courses you can find online:
Complete VMware Administration course
VMware vSphere 7 – Install, Configure, Manage
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial