Get a TCP Dump of a VM running on VMware vSphere

Sometimes you may have incidents that you need to examine the VMs communication to find any errors on them. This article explains how to get a TCP dump of a VM running on VMware vSphere.

Before you begin make sure you have done the steps below.

1. If you are running in a clustered environment make sure you have created VM host rule created for the VM bound to the parent ESXi host.
2. ESXi SSH service running status.

Then connect to ESXi host via SSH where the relevant VM is running.

Then run the command below on the ESXi shell to find the VM connected switchport ID.

net-stats -l | grep VMname

you will see the switchport ID.

Copy the switchport ID and define it in the command below.

pktcap-uw –dir 0 –switchport 33554493 -o /tmp/dumpname.pcap & pktcap-uw –dir 1 –switchport 33554493 -o /tmp/dumpname.pcap &

After executing the command above you will see the TCP dump is starting to run and when you want to stop press Ctrl+C buttons on the keyboard then enter command below to kill the process.

kill $(lsof |grep pktcap-uw |awk ‘{print $1}’| sort -u)

File will be saved in the /tmp folder.

Use WinSCP tool to connect to ESXi and download the TCP dump file to examine. Finally remove the VM host rule and disable SSH on the host.