Description
This article describes how to sniff traffic on hypervisor (ESXi) using pktcap-uw tool.
Scope
For VMware ESXi.
Solution
Many Fortinet products can be run on ESXi hypervisor.
In case of connectivity issue between Fortinet VM and other VM/s it is worth to sniff traffic on hypervisor side in order to isolate the issue.
In order to sniff traffic on ESXi server, it is necessary to perform steps below:
- Enable ssh access on ESXi.
- Ssh to ESXi.
- Run in CLI net-stats -l | grep <VM name> in order to find virtual switchport of the VM.
- In vSphere 6.5 or earlier it is necessary to specify direction of sniffing (either input or output).
- Switchport number for particular VM can be found using net-stats command.
- 'O' defines path where pcap file will be created and specify file name.
- dir specify direction (either input or output):
pktcap-uw --switchport 123 -o /tmp/in.pcap --dir input
pktcap-uw --switchport 123 -o /tmp/out.pcap --dir output
- In vSphere 6.7 or later it is possible to sniff traffic in both directions by setting --dir 2:
pktcap-uw --switchport 123 -o /tmp/both.pcap --dir 2
- Run Ctrl-C in CLI order to stop sniffing.
- Download created pcap file/s over ssh from ESXi.
