Packet Capture on VCSA 6.0


Whilst working with a customer recently, we encountered a situation recently where we were required to run a packet capture on a VCSA (vCenter Server appliance) version 6.0.

Being a Linux appliance underneath, the tool to use is tcpdump, but by default tcpdump is not actually installed by default. There are a few steps you need to follow to get it installed.

SSH into the VCSA which should get you to the standard appliance shell

Now run the following command to enable the pi shell:

Next you can enter the pi shell with the following command:

or you can just type

Which should drop you into the pi shell

By default tcpdump is not installed, so we need to run the following commands to install the required RPMs.

If you are using version 5.x VCSA, the path is slightly different.

Which will then proceed to install both tcpdump and netcat

So now you can use tcpdump to your hearts content. However keep in mind that according to the documentation tcpdump was not installed by default due to security concerns, so they also provide you a script to uninstall it.

And if you just want to check whether tcpdump has already been installed you can run the following command:

Not Installed

Installed


WinSCP

Sometime when using tcpdump, you want to save the capture to a pcap file so you can analyse it in something like Wireshark. But getting the file off the VCSA appliance via WinSCP can lead to the following error messages

Screen Shot 2015-06-26 at 2.57.52 pm

Screen Shot 2015-06-26 at 2.57.38 pm

 

This error is due to the fact that when connecting to the VCSA appliance its not dropping the root user into the BASH shell by default.

So to change the default shell to the BASH shell, you can execute the following command:

And to switch it back to the applianceshell (default), execute the following command:

 

Leave a Reply