Monday, April 20, 2015

vmware esxi command line performance command, network tracing

Performance, or top command for esxi is esxtop

To capture network activity on esxi with command line,  one must use a different special form of the tcpdump command.

Take care to position where you will have some storage capacity.  Though logged in as root, the root fs structure may have very little storage in its default directory.  Also on systems with tcp nas, traffic will be added if one used datastores which are mounted via nfs or other protocols visible to the NIC.

notes captured from this info page

Capturing network traces with tcpdump-uw

  • To list the vmkernel interfaces, use the esxcfg-vmknic command with the -l option:

    # esxcfg-vmknic -l
  • To display packets on the vmkernel interface vmk0, use the tcpdump-uw command with the -i option:

    # tcpdump-uw -i vmk0
  • To capture the entire packet, use the tcpdump-uw command with the -s option with a value of 1514 for normal traffic and 9014 if Jumbo Frames are enabled.

    Normal traffic: # tcpdump-uw -i vmk0 -s 1514Jumbo Frames enabled: # tcpdump-uw -i vmk0 -s 9014 -B 9

    Note: By default, tcpdump-uw can only capture a maximum of 8138 bytes due to buffer constraints. The -B 9 option increases the buffer to allow the capture of up to 9014 bytes.

  • To display all of the packets on vmk0 with verbose detail,  use the tcpdump-uw command with the -vvv option:

    # tcpdump-uw -i vmk0 -s 1514 -vvv
    Note: Refer the help page for tcpdump-uw command for more -v options.

  • To display only the TCP packets on vmk0, use the tcp option with the tcpdump-uw command.

    # tcpdump-uw -i vmk0 -s 1514 tcp
  • To see traffic to/from only a single IP address, you can use the host option:

    # tcpdump-uw -i vmk0 -s 1514 host x.x.x.x

  • To avoid seeing unwanted traffic types in the tcpdump-uw output, use the not option. For example, to filter out DNS and SSH traffic, use the following command:

    # tcpdump-uw -i vmk0 -s 1514 port not 22 and port not 53

    Note: This is useful when doing a packet capture on a VMkernel interface when that same interface is also being used for an active SSH session.

  • To save the dump in pcap format for later use with Wireshark, use the traffic.pcap option.

    # tcpdump-uw -i vmk0 -s 1514 -w traffic.pcap
  • If the trace is running for long time, you can split the trace pcap file to chunks of desired size using the-C option.

    # tcpdump-uw -i vmk0 -s 1514 -C 100M -w /var/tmp/test.pcap
  • To limit the log files to a specified number, you can use the -W option. You can use this option if a trace must be set running for a long period of time, waiting for an even to occur.

    For example:

    # tcpdump-uw -i vmk0 -s 1514 -C 100M -W 10 -w /var/tmp/test.pcap
    This command creates 10 trace files of size 100MB each. This ensures that you do not run out of space on ESX.

    Note: This option has the same effect of rotating the log files.

Traffic on a virtual internal switch must be captured in a different manner.

notes taken from here:

Capturing virtual switch traffic with tcpdump and other utilities (1000880)


This article provides information about capturing ESX network traffic.

There are two ways to capture traffic in an ESX environment:

Monitoring virtual switch traffic using tcpdump or other packet-capture utilities requires a port group with non-default security policies set.

Attempting to capture traffic without adjusting the security policies results in silent failure of the capture operation.


These steps describe setting up a vSwitch and/or a port group in promiscuous mode for tcpdump:

  1. To monitor traffic via VMware Service Console (SC), a port group and a vswif interface with security settings modified to promiscuous mode accept is required for capturing.
  2. To monitor traffic via the virtual machine, the virtual machine's virtual NIC must be set to promiscuous mode accept, however this step is often accomplished by the capturing utility installed on guest operating systems. The Virtual Switch (vSwitch) and port group security settings must also be modified to accept all traffic ( promiscuous mode accept).
  3. To capture all traffic of the Virtual Switch, the vSwitch security setting is set to promiscuous mode accept.
  4. To capture only the traffic of a port group, only that particular port group security setting is modified to promiscuous mode accept.
  5. A layer 3 IP address is used by the capturing utility, therefore you must have a Service Console with an IP address in the desired subnet for capturing. This also applies to guest operating systems.
  6. To monitor VMkernel Traffic, place a Service Console on the VMkernel virtual switch, and follow the procedure below.
These steps must be applied as a whole if the environment requires total dedicated virtual switch, port group, and service console, or can be used as reference to modify existing network settings. To modify only the port group, go to step 3 above.

Create a new service console portgroup named COS_tcpdump (or another name which makes sense in your environment):

  1. Connect to the ESX host using VI Client / vSphere Client.
  2. Click the ESX host, then click the Configuration tab.
  3. Click Networking under Hardware.
  4. Click Add Networking, which is located at the top right. The Add Network Wizard window appears.
  5. Click Service console, then click Next.
  6. Select Create a virtual switch and select the NIC to be associated with the virtual switch and click Next.
  7. Enter a Network Label for the server console (in this example, COS_tcpdump), and provide a VLAN ID (optional).
  8. On ESX 4.x, click Next.
  9. Assign IP information using DHCP or manually by entering an IP Address and Subnet Mask, then click Next.
  10. Click Finish to create the switch.
  11. Click Properties next to the new virtual switch to edit its properties.
  12. Highlight the newly created Service Console and click Edit to modify its properties.
  13. In the vSwitch Properties window, click the Security tab and change all three Policy exceptions to Accept and click OK.
  14. Close the Properties window. You are ready to run tcpdump on this vswif interface.

No comments:

Post a Comment