Portal Home > Knowledgebase > VMware Knowledge Base > Capturing a network trace in ESXi using Tech Support Mode or ESXi Shell

Capturing a network trace in ESXi using Tech Support Mode or ESXi Shell


This article provides information on capturing network traces in ESXi 4.0 Update 1, ESXi 4.1 and ESXi 5.x. You may want to capture the network traces to investigate network problems. 


To capture the network traces in ESXi 4.x and ESXi 5.x, you can use the tcpdump-uw command in the Tech Support Mode.

Note: In ESXi 5.x, Tech Support Mode is replaced by ESXi Shell. For more information, see Using ESXi Shell in ESXi 5.0 (2004746).

The tcpdump-uw command is based on the standard tcpdump utility. Network traces are captured from the perspective of a network interface. The examples in this article use vmk0, though any VMKernel network interface could be used.

Capturing network traces with tcpdump-uw

  • To list the vmkernel interfaces, use the esxcfg-vmknic command with the -l option:

    # esxcfg-vmknic -l

  • To display packets on the vmkernel interface vmk0, use the tcpdump-uw command with the -i option:

    # tcpdump-uw -i vmk0

    Note: By default, the tcpdump and tcpdump-uw commands capture only the first 68 bytes of data from a packet.

  • To capture the entire packet, use the tcpdump-uw command with the -s option with a value of 1514 for normal traffic and 9014 if Jumbo Frames are enabled.

    Normal traffic: # tcpdump-uw -i vmk0 -s 1514
    Jumbo Frames enabled: # tcpdump-uw -i vmk0 -s 9014

  • To display all of the packets on vmk0 with verbose detail,  use the tcpdump-uw command with the -vvv option:

    # tcpdump-uw -i vmk0 -s 1514 -vvv

  • To display only the TCP packets on vmk0, use the tcp option with the tcpdump-uw command.

    # tcpdump-uw -i vmk0 -s 1514 tcp

  • To save the dump in pcap format for later use with Wireshark, use the traffic.pcap option.

    # tcpdump-uw -i vmk0 -s 1514 -w traffic.pcap
Based on VMware KB 1031186

Also Read