Created on 02-18-2020 02:54 AM Edited on 12-16-2021 01:52 AM By Anonymous
Description
This article describes how to sniff traffic on hypervisor (ESXi) using pktcap-uw tool.
Scope
For VMware ESXi.
Solution
Many Fortinet products can be run on ESXi hypervisor.
In case of connectivity issue between Fortinet VM and other VM/s it is worth to sniff traffic on hypervisor side in order to isolate the issue.
In order to sniff traffic on ESXi server, it is necessary to perform steps below:
- Enable ssh access on ESXi.
- Ssh to ESXi.
- Run in CLI net-stats -l | grep <VM name> in order to find virtual switchport of the VM.
- In vSphere 6.5 or earlier it is necessary to specify direction of sniffing (either input or output).
- Switchport number for particular VM can be found using net-stats command.
- 'O' defines path where pcap file will be created and specify file name.
- dir specify direction (either input or output):
pktcap-uw --switchport 123 -o /tmp/in.pcap --dir input
pktcap-uw --switchport 123 -o /tmp/out.pcap --dir output
- In vSphere 6.7 or later it is possible to sniff traffic in both directions by setting --dir 2:
pktcap-uw --switchport 123 -o /tmp/both.pcap --dir 2
- Run Ctrl-C in CLI order to stop sniffing.
- Download created pcap file/s over ssh from ESXi.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.