Working in support, one of the most common questions I receive from Network administrators and VMware admins alike is “What’s going on, on the vSwitch?”. vSwitches (Distributed or not) can be as a colleague of mine says “A black box filled with voodoo inside”. Unfortunately in the past the best way to observe the traffic was a painful process that required SPAN ports on the physical switch, Wireshark VMs or configuration changes made to the vSwitch to allow captures. Combine this with the fact that these processes can often involve multiple teams within the organization working together and it creates a recipe for a slow moving troubleshooting process. Keeping all of this in mind I’m sure I wasn’t the only one that gave a both a sigh of relief and a bit of a celebration when reading about the Enhanced Host-Level Packet Capture command in the  vSphere 5.5 What’s New Document .

If you haven’t heard, or aren’t sure as to why this is a big deal let me outline a few of the benefits below :

  • Available as part of the vSphere platform and can be accessed through the vSphere host command prompt

The key point to take away from this is that it’s included directly on the host, so any networking issues involving vCenter do not inhibit the use of the tool

  • Can capture traffic on vSS and DvS

 

  • Captures packets at the vNic, Uplink and Port level

This is the reason I am writing a blog about the command. The ability to capture traffic at these different levels within the hypervisor not only allows to demystify the the vSwitch a bit, but it will also allow for expedited troubleshooting. No longer will the blame game be dragged out and reliant on SPAN ports and promiscuous mode to get a full view of the environment. As a VMware professional, if this doesn’t put a smile on your face there is something wrong.

  • Can capture dropped traffic

I think this really speaks for itself. If there is traffic being dropped within the hypervisor it helps to actually be able to identify where.

  • Can trace the path of the packet with timestamp details

 

While this tool has been highlighted by VMware, I was not able to find any mention of the actual command anywhere. I decided to go digging myself and found what was I was working for :

pktcap-uw

The new tool handles much the same as tcpdump but allows for additional granularity in what you’re capturing, or not, and how. A quick view of the help screen by appending the -h switch even shows support to capture at the dvfilter level (vShield App anyone?). I for one am very excited to utilize the tool as it will make my job in support that much quicker and easier to identify problems with networking in or outside the host. I will be adding another post in the upcoming days after I’ve had some time to truly understand what each option allows for and best ways to use them. In the mean time there is a public KB that gives the barebones of captures that can be found here.