I recently ran into an issue where we needed to capture some packets from the vmk interface on a Nutanix/vSphere host. I found this great utility for that, pktcap-uw, however it only captures traffic in one direction by default. Thankfully I found someone with the info on how to run both incoming and outgoing captures at the same time.
- SSH to the host
- Update the cmd below to reflect your vmk port or whatever you are trying to capture
- Run this cmd
-
pktcap-uw --vmk vmk0 --dir 0 -o /tmp/vmk0_in.pcap & pktcap-uw --vmk vmk0 --dir 1 -o /tmp/vmk0_out.pcap &
- Shut down the capture after your done with this cmd
-
kill $(lsof |grep pktcap-uw |awk '{print $1}'| sort -u)
- Use WinSCP to connect to the host
- Copy vmk0_in.pcap & vmk0_out.pcap files from /tmp/*
- Save them somewhere useful
- Open in wireshark
- Click File > Merge > pick the 2nd file
- And you should be presented with a capture with both incoming and outgoing packets.
Looks like there is now a bi-directional capture option (–dir 2), not sure if it was released recently but this is from 6.7 U2.
–dir (for –switchport, –vmk, –uplink, –fcport)
The direction of flow, with respect to the vswitch:
0- Input: to vswitch (Default), 1- Output: from vswitch, 2- Input and Output
LikeLike
When I figured this out it was for an older version. It’s good to see it’s in the newer version, it was kind of a pain for just a capture.
LikeLike