In a previous post I gave an introduction to a new tool that was added in ESXi 5.5 that allows for additional granularity when troubleshooting Networking issues. I’ve finally found some time to play around and understand how to use the command and wanted to put those notes down so that I could come back to them when needed.

When running pktcap-uw the structure of the command should look something similar to (NOTE** The blog page is formatting the commands with only a single – . All parameters should include two – )

pktcap-uw –capturepoint <capture point> –interface <interface> –dir <0/1>  –stage <0/1> –dstport <port> –proto <0xproto>

The name capturepoint is a bit deceiving. I originally assumed this meant the item that we would be dumping (vmkernel, physical nic, switchport etc); however, it is actually an additional parameter to go along with the interface. A great example is the capture point PortOutput which shows traffic being delivered from the vSwitch to the Guest OS. To get a list of available options of capturepoints run pktcap-uw -A. By default the direction of all captures are set to receive (–dir 0) but can be changed to see outbound traffic as well (–dir 1). At this time I have not been able to identify a way to capture both ingress/egress traffic. The stage parameter identifies whether the traffic is captured before, or post, capture point. Ultimately this allows us to view where traffic is getting dropped and identify if there is an operation inside the host that is causing the problem.

Beyond the direction and stage the parameters of pktcap should feel very similar to our old friend tcpdump. A source or destination port can be specified by –srcport and –dstport respectively and the same applies for both source and destination mac and IP address. If you want to output the pcap to a file for analysis later on you can use the -o <FILENAME> parameter. Explaining the help screen is all well and good, but let’s see pktcap in some real world scenarios below :


If I want to capture all traffic on vmnic0 for port 22 the command would be :

pktcap-uw –uplink vmnic0 –dstport 22



Neat! That would be the traffic from my current SSH session to the host that’s being echo’d on the screen. What if we want to just capture ICMP traffic that’s going to the vCenter server running on that host?


Our first step is to run esxtop and switch to the networking tab by hitting ‘n’ :


From this screen we capture the highlighted PORT-ID for our vCenter server. In this case it’s 50331656. Leave esxtop by hitting ‘q’ and enter the command below: (NOTE** All protocols will need be referenced by their hexadecimal values which can be found here)

pktcap-uw –switchport 50331656 –proto 0x01


Interesting. We’re not seeing any traffic captured, this makes sense as my constant ping from my desktop is timing out. Let’s see if it’s even making it to the physical interface that the vCenter server is running on. If you reference the esxtop screenshot again you can see that vCenter has bound it’s traffic to vmnic1. Let’s capture all ICMP traffic destined for my vCenter server’s IP ending in .10.117 :

pktcap-uw –uplink vmnic1 –proto 0x01 –dstip x.x.10.117


So the traffic is at least hitting the physical nic, but we’re not seeing it at the guest. Let’s see if the vSwitch is delivering it to the guest by specifying the capture point PortOutput:

pktcap-uw –capture PortOutput –switchport 50331656 –proto 0x01


At this point we’ve been able to identify that not only is the traffic reaching the physical interface of the host, but it’s making it’s way through the vmkernel and the out the virtual port of the vSwitch to the Guest OS. Investigation at this point should be refocused on the vCenter server itself to see why the ICMP requests aren’t making it through. Make sure to check your Windows Firewall people 😉 .

There is a plethora of more options for this tool and the capturepoints are specific to the interface you capture on. For example, using the –capture PortOutput when specifying a switchport as the target will show traffic delivered from the vSwitch to the Guest. Using PortOutput when specifying a physical adapter shows traffic being delivered from the vSwitch to the physical adapter.

For more information on the EHLPC check out




This is a personal blog. Any views or opinions represented in this blog are personal and solely belong to me and do not represent those of VMware, unless explicitly stated.
All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information.

Working in support, one of the most common questions I receive from Network administrators and VMware admins alike is “What’s going on, on the vSwitch?”. vSwitches (Distributed or not) can be as a colleague of mine says “A black box filled with voodoo inside”. Unfortunately in the past the best way to observe the traffic was a painful process that required SPAN ports on the physical switch, Wireshark VMs or configuration changes made to the vSwitch to allow captures. Combine this with the fact that these processes can often involve multiple teams within the organization working together and it creates a recipe for a slow moving troubleshooting process. Keeping all of this in mind I’m sure I wasn’t the only one that gave a both a sigh of relief and a bit of a celebration when reading about the Enhanced Host-Level Packet Capture command in the  vSphere 5.5 What’s New Document .

If you haven’t heard, or aren’t sure as to why this is a big deal let me outline a few of the benefits below :

  • Available as part of the vSphere platform and can be accessed through the vSphere host command prompt

The key point to take away from this is that it’s included directly on the host, so any networking issues involving vCenter do not inhibit the use of the tool

  • Can capture traffic on vSS and DvS


  • Captures packets at the vNic, Uplink and Port level

This is the reason I am writing a blog about the command. The ability to capture traffic at these different levels within the hypervisor not only allows to demystify the the vSwitch a bit, but it will also allow for expedited troubleshooting. No longer will the blame game be dragged out and reliant on SPAN ports and promiscuous mode to get a full view of the environment. As a VMware professional, if this doesn’t put a smile on your face there is something wrong.

  • Can capture dropped traffic

I think this really speaks for itself. If there is traffic being dropped within the hypervisor it helps to actually be able to identify where.

  • Can trace the path of the packet with timestamp details


While this tool has been highlighted by VMware, I was not able to find any mention of the actual command anywhere. I decided to go digging myself and found what was I was working for :


The new tool handles much the same as tcpdump but allows for additional granularity in what you’re capturing, or not, and how. A quick view of the help screen by appending the -h switch even shows support to capture at the dvfilter level (vShield App anyone?). I for one am very excited to utilize the tool as it will make my job in support that much quicker and easier to identify problems with networking in or outside the host. I will be adding another post in the upcoming days after I’ve had some time to truly understand what each option allows for and best ways to use them. In the mean time there is a public KB that gives the barebones of captures that can be found here.