Whilst troubleshooting at a client today, I needed to perform a packet capture on one of the Edge Services Gateways in the environment. Performing a packet capture is often very helpful in diagnosing a range of different issues.
To kick off a packet capture you can jump on the console of the ESG or like I am doing in this example, open up an SSH session to the ESG.
You will need to know what interface to run the capture on, so run the following command to list out all the interfaces (for ease of reading I have removed all the interfaces that were showing down/down from the output)
In this example I want to see what happening on vNic_0. The following command will display all the captured packets to the screen. I would advise (and officially so does VMware) against running this command in a production environment with a lot of traffic as it will spew out a lot of data to the screen and can potentially cause performance issues on the ESG.
Instead of displaying the output to the screen, you can save the output in a capture file using the following command.
You can even see that under the covers its running tcpdump, which means you can also write cool expressions or filters.
The following command excludes SSH connections to/from my IP address (10.29.16.70) from appearing in the capture. You must use an underscore between words in the expression.
After performing the capture to a file, you can list all the capture files using the following command
That’s all good, but doing a directory list doesn’t really help me read the file, so to copy it off you need to use one of the following commands based on the type of transfer protocol you want to use. The choices are SCP or FTP. The following is an example of how to use SCP to copy the capture file off the ESG.
If you prefer, or need to use FTP, just replace the protocol choice SCP in the command with FTP.
Once you have the file off the ESG and in a location you can access, you can open the capture file with Wireshark.
Happy packet capturing!