fir3net
PPS-Firenetbanner-780.5x190-30-03-17

How do I run a packet capture on ESX ?

In order to run a tcpdump on ESX you will need to add a service console to your virtual switch. This is achieved via the following steps :

Set the Virtual Switch to Promiscuous

  1. Within the vShpere Client go to Configuration | Networking.
  2. Choose the virtual switch that your would like to capture the traffic on.
  3. On the virtual switch click Properties.
  4. Under the Ports Tab choose your vSwitch and select Edit.
  5. Within the Security Tab set Promiscuous mode to Accept.

Add a Service Console

  1. Still within the virtual switch properties :
  2. Click Add (under the port tab)
  3. Select Service Console, click Next
  4. Add a network label and add to the VLAN ID 4095 (This will allow you to see all traffic including VLAN tagged packets)
  5. Click Next and then Finish

You should now see under your virtual switch the Service Console Port. This will include a new virtual switch interface (vswif).
Now log into the ESX box via SSH and run a tcpdump against this vswitch interface. You will now see the traffic. Below is a small example :

[root@ESX1 root]# tcpdump -ni vswif1
tcpdump: listening on vswif1
13:19:46.790220 802.1Q vlan#20 P0 0.0.0.0.8116 > 10.1.20.0.8116: udp 36
13:19:46.791766 802.1Q vlan#10 P0 0.0.0.0.8116 > 10.1.20.0.8116: udp 36

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001