To capture network activity on esxi with command line, one must use a different special form of the tcpdump command.
Take care to position where you will have some storage capacity. Though logged in as root, the root fs structure may have very little storage in its default directory. Also on systems with tcp nas, traffic will be added if one used datastores which are mounted via nfs or other protocols visible to the NIC.
notes captured from this info page
Capturing network traces with tcpdump-uw
- To list the vmkernel interfaces, use the esxcfg-vmknic command with the -l option:
# esxcfg-vmknic -l
- To display packets on the vmkernel interface vmk0, use the tcpdump-uw command with the -i option:
# tcpdump-uw -i vmk0
- By default, the tcpdump and tcpdump-uw commands capture only the first 68 bytes of data from a packet.
For ESXi 5.5, see Using the pktcap-uw tool in ESXi 5.5 (2051814).
- To capture the entire packet, use the tcpdump-uw command with the -s option with a value of 1514 for normal traffic and 9014 if Jumbo Frames are enabled.
Normal traffic: # tcpdump-uw -i vmk0 -s 1514Jumbo Frames enabled: # tcpdump-uw -i vmk0 -s 9014 -B 9
Note: By default, tcpdump-uw can only capture a maximum of 8138 bytes due to buffer constraints. The -B 9 option increases the buffer to allow the capture of up to 9014 bytes.
- To display all of the packets on vmk0 with verbose detail, use the tcpdump-uw command with the -vvv option:
# tcpdump-uw -i vmk0 -s 1514 -vvv
Note: Refer the help page for tcpdump-uw command for more -v options.
- To display only the TCP packets on vmk0, use the tcp option with the tcpdump-uw command.
# tcpdump-uw -i vmk0 -s 1514 tcp
- To see traffic to/from only a single IP address, you can use the host option:
# tcpdump-uw -i vmk0 -s 1514 host x.x.x.x
- To avoid seeing unwanted traffic types in the tcpdump-uw output, use the not option. For example, to filter out DNS and SSH traffic, use the following command:
# tcpdump-uw -i vmk0 -s 1514 port not 22 and port not 53
Note: This is useful when doing a packet capture on a VMkernel interface when that same interface is also being used for an active SSH session.
- To save the dump in pcap format for later use with Wireshark, use the traffic.pcap option.
# tcpdump-uw -i vmk0 -s 1514 -w traffic.pcap
- If the trace is running for long time, you can split the trace pcap file to chunks of desired size using the-C option.
# tcpdump-uw -i vmk0 -s 1514 -C 100M -w /var/tmp/test.pcap
- To limit the log files to a specified number, you can use the
-W option. You can use this option if a trace must be set running for a
long period of time, waiting for an even to occur.
# tcpdump-uw -i vmk0 -s 1514 -C 100M -W 10 -w /var/tmp/test.pcap
This command creates 10 trace files of size 100MB each. This ensures that you do not run out of space on ESX.
Note: This option has the same effect of rotating the log files.
Traffic on a virtual internal switch must be captured in a different manner.
notes taken from here: