How do I run a packet capture on ESX ?
In order to run a tcpdump on ESX you will need to add a service console to your virtual switch. This is achieved via the following steps :
Set the Virtual Switch to Promiscuous
- Within the vShpere Client go to Configuration | Networking.
- Choose the virtual switch that your would like to capture the traffic on.
- On the virtual switch click Properties.
- Under the Ports Tab choose your vSwitch and select Edit.
- Within the Security Tab set Promiscuous mode to Accept.
Add a Service Console
- Still within the virtual switch properties :
- Click Add (under the port tab)
- Select Service Console, click Next
- Add a network label and add to the VLAN ID 4095 (This will allow you to see all traffic including VLAN tagged packets)
- Click Next and then Finish
You should now see under your virtual switch the Service Console Port. This will include a new virtual switch interface (vswif).
Now log into the ESX box via SSH and run a tcpdump against this vswitch interface. You will now see the traffic. Below is a small example :
[root@ESX1 root]# tcpdump -ni vswif1
tcpdump: listening on vswif1
13:19:46.790220 802.1Q vlan#20 P0 0.0.0.0.8116 > 10.1.20.0.8116: udp 36
13:19:46.791766 802.1Q vlan#10 P0 0.0.0.0.8116 > 10.1.20.0.8116: udp 36