NSX Packet capturing for NSX Ninja – Part 1

My dear NSX Ninja, this is my first post on this blog and it is a part of the Troubleshooting (TRBL) and Commands (CLI) series. In this series, I will show you a couple of interesting topics about TRBL and CLI which can help you with NSX each day.

We have the following packet capture commands:

pktcap-uw and tcpdump-uw commands are native to ESXi hosts
start capture command is the NSX packet capture tool, I will cover this in part 2 of this post.

First, we will look at packet capturing CLI pktcap-uw which we can use for capturing and TRBL on ESXi host.

esxcli,net-stats, and esxtop Commands

Before we start using pktcap-uw we need to gather a couple of information for packet capturing. We can use different CLI on the ESXi host. I will show you CLI which you can use.


Esxtop utility by default run in interactive mode and if you want to see the Network panel you need to type the letter n as an n:network
We need to know PORT-ID for web-01a VM.

esxtop with the letter n


This command net-stats is very powerful and can get you a lot of deep-dive information. In my example, I use for the same information as esxtop utility so you can choose which command is better for you. net-stats -l list ports in the system.

net-stats -l


You can use esxcli command to manage many aspects of an ESXi host. In our case, we just use to list all Physical NICs loaded on the system.

esxcli network nic list


We use summarize-dvfilter command to get the vNIC filter for the web-01a VM. We can see the filter name for slot 2 attached.

summarize-dvfilter | grep -A5 web


There is also another CLI little bit older but still valid. esxcfg-vmknic -l commands we use for listing VMkernel NICs. ( Yes you can use esxcli but this is just an example of another command )

esxcfg-vmknic -l

pktcap-uw Command

At this moment we gathered all information that we need for packet capture with pktcap-uw command.

Note: Certain options of the pktcap-uw utility are designed for VMware internal use only and you should use them only under the supervision of VMware Technical Support. These options are not described in the vSphere Networking guide. 


For example I ping from web-01a IP to the db-01a IP

PING WEB-01a to DB-01a

We can use the pktcap-uw command to capture packets from the ESXi host and analyze the output with the tcpdump-uw command. pktcap-uw has a lot of options. I will describe the important ones for you. The first is the –dir option to capture the packet according to the direction. ( By default captures the incoming traffic ) The second is -the-stage option to capture the traffic before or after the dvfilter.

–dir 0 – capture incoming traffic
–dir 1 – capture outgoing traffic
–dir 2 – capture both traffic

The direction of flow, with respect to the vswitch:
0- Input: to vswitch (Default), 1- Output: from vswitch, 2- Input and Output

–stage 0 – before traffic dvfilter
–stage 1 – after traffic dvfilter

Following example shows we are capturing packet for a port web-01a VM and the port number is associated with web-01a.eth0 interface. Only incoming packets are captured and saved in file named livefiresolutions.pcap.

pktcap-uw –switchport 67108890 –dir 0 -o livefiresolutions.pcap

In the following example, we capture the physical NIC vmnic1 on host esx-01a and redirect the output to tcpdump-uw Immediately.

pktcap-uw –uplink vmnic1 –dir 0 -o – | tcpdump-uw -enr –

In the following example, we capture VMkernel port vmk10 ( TEP ) –dir 2 both Input and Output.

pktcap-uw –vmk vmk10 –dir 2 -o – | tcpdump-uw -enr –

In the following example we capture dvfilter web-01a VM – PreDVFilter — Before DVFIlter capture point

pktcap-uw -c 5 –capture PreDVFilter –dvfilter nic-1068889-eth0-vmware-sfw.2 -o – | tcpdump-uw -enr –

This is my last example for pktcap-uw with –trace option captures each packet at each point and is very verbose.

pktcap-uw -c 5 –switchport 67108890 –trace

tcpdump-uw Command

The last command is tcpdump-uw it can capture vmk , but not in switch ports or uplinks. I used it here only to decode pcaps online or read them.

We use tcpdump-uw to read our previous file livefiresolutions.pcap

tcpdump-uw -enr livefiresolutions.pcap

Or we can decode pcap online

pktcap-uw –switchport 67108890 –dir 0 -o – | tcpdump-uw -enr –

The same example only we change –dir

pktcap-uw –switchport 67108890 –dir 1 -o – | tcpdump-uw -enr –

Of course, if you prefer to read .pcap in Wireshark you can copy the file to your local desktop.

WinSCP – Copy .pcap file

Open with Wireshark


I hope these short examples will help you with small TRBL in your environment. Enjoy packet capturing and See with another post.

Self-study source for you:
esxcli – https://developer.vmware.com/web/tool/7.0/esxcli
pktcap-uw – https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-networking/GUID-5CE50870-81A9-457E-BE56-C3FCEEF3D0D5.html
vsphere-cli – https://developer.vmware.com/web/tool/6.7/vsphere-cli

Karel Novak

Leave a Reply