Friday, November 29, 2019

tcpdump vs pktdump: How to use them







 
tcpdump & pktdump are two different tools for capturing and analyzing received/transferred packets/frames to/from ESXi host. for some troubleshooting situation especially in the case of networking and communication problems, you will need these tools. In this post I want to demonstrate and talk about how to work with these useful CLIs
tcpdump-uw is a great CLI that exists in the ESXi host for packet capturing. Most of the times, we should know about the details of network traffics of each VMkernel port on the ESXi, But before that, you need to understand, verify and analyze the results of the tcpdump-uw command.
Before working with tcpdump-uw, we need to learn about existing VMkernel ports in the host via running: 

esxcli network ip interface ipv4 get
or you can check it via tcpdump-uw -D
-i select the appropriate interface/network adapter for listening Rx/Tx packets 
-n no name resolution occurred
-t no time information included
-c to specify count of caputerd packets
-e ethernet frame include MAC address for each packet
-w export the capture packets into the file
-s0 collect the entire packets. 

Also if you need to exclude specific protocol or port for example http traffic on TCP port 80 you can add not tcp port 80.
It's possible to show more details of captured data by adding -v syntax( or -vv & -vvv to give more detail).

for including TCP headers and TCP flag states, consider each of following syanxes (with -q you can skip all of them):
-s syn / -p push / -f finish / -r reset

Some examples of tcpdump-uw usage:

# tcpdump-uw -i vmk0 icmp
# tcpdump-uw -i vmk0 -w caputerdpackets.pcap
# tcpdump-uw -i vmk0 host x.x.x.x# tcpdump-uw -i vmk0 not arp and not port 22 and not port 53
# tcpdump-uw -i vmk0 -c 10

Just remember this CLI can only capt660606ure packets / frames in the vmkernel level so to capture frames at the uplinks or vSwitch or virtual port pktcap-uw can be used for other traffics of ESXi host. By default pktcap-uw will capture ony inbound traffics, but after release of ESXi 6.7 you can specify direction path:
 --dir 0 (Incoming) / --dir 1 (Outgoing) / --dir 2 (In/Out)
(Remember that in the earlier versions you can only specify for only one direction.) There is a list of useful syntax of pktcap-uw:

--vmk vmk0  capture traffics on vmkernel port vmk0
--uplink vmnic0  capture trafffics on physical port vmnic0
-o capturedfile.pcap export the output to the file
-G 10 specify time per seconds for specifying capturing duration
-C 100 specify file size per megabytes
--swichport 11 specify exact port on virtual switch. 

There is an example of pktcap-uw:
pktcap-uw --vmk vmk0 -o /vmfs/volumes/datastore1/_export_/capture.pcap -switchport 6666  -c 1000 

















 
For more information you can reffer to following links:

https://www.virten.net/2015/10/esxi-network-troubleshooting-with-tcpdump-uw-and-pktcap-uw/

 
 

No comments:

Post a Comment

I will start a new journey soon ...