VMware Packet Capture

VMware ESXi allows you to perform captures on the ESXi host of network interfaces on the virtual machine.

Finding the VM Port

The first step in the capture is the find the VM and the VM network port. The VM can be found in vCenter which should show the ESXi host where the VM is hosted.

Once the ESXi host is located login via SSH and use the command:

net-stats -l

The output of command should show the PortNum for each ClientName and MAC address.

Obtaining the Capture

Once you have the port number which maps to the device you can obtain a capture with the command:

pktcap-uw --switchport PORTNUM --outfile FILENAME.pcapng --ng --dir 2

where PORTNUM is the port number from the command above and FILENAME is the full path where you want the output saved. In this example command the we have direction (dir) selected as 2 (incoming and outgoing). We are using the NG (Next Generation) pcap format.