Capturing network traffic and downloading .pcap file is kind of must know thing when we do any network troubleshooting in NSX environment.
To do so, you need to follow below steps in order-
Step 1: Take console or putty of NSX edge device
Step 2: login with admin credentials (username "root" doesn't work in NSX :))
#Hopefully you know how to know\reset credentials of NSX edge. If not, let me know.
#When we say that capture the traffic, it does mean that traffic is flowing. If not then initiate a traffic first between source and destination. If both are VMs, then start a ping from source VM to destination VM.
Step 3: Run below command on NSX edge (putty\console)to start capturing the traffic
debug packet capture interface vNic_0
1. After few seconds, stop the capture by pressing CTRL+C.
2. Output will looks like as shown below
3. Above command will capture all the traffic hitting on vNic_0 of this edge and will save a file in appliance storage only. That is why, it should not keep running for longer period of time like 1-2 hours. Which will further creates edge performance related issue.
#Now let's see how to download it
Step 4: Run below command
debug copy ftp gjohar@ftp server IP address:/ tcpdump_vNic_4.0
For example : debug copy ftp firstname.lastname@example.org:/ tcpdump_vNic_4.0
1. gjohar - username created on ftp server
2. FTP should be accessible from internet and should be reachable by NSX edge on ping etc.
3. tcpdump_vNic_4.0 - It is the file to download which automatically named while creation. Name can be different in your case so to confirm the file name you can simply run below command after stop capturing
Step 4.1 : debug show files
Once you run the command show in step4, you will see this file in your FTP server. Now you can open, share and check the file as per your wish.
Dig in bit deeper
In above steps, I have explained capturing all the traffic on an interface. Now let's see how to capture a particular IP's traffic on this interface that is vNic_0
You just need to modify the capture command as below.
#debug packet capture interface vNic_0 -n_src_host_22.214.171.124
126.96.36.199 - It is the IP address which we want to capture.
Dig in bit more deeper
I want to capture a packet with source and destination information.
#debug packet capture interface vNic_0 host_192.168.11.3_and_host_192.168.11.41
192.168.11.3 - Source
188.8.131.52 - Destination
Let's Dig in little more deeper
Now, I want to see if source and destination are communicating over port number 80 (or any other)
#debug packet display interface vNic_0 host_192.168.11.3_and_host_192.168.11.41_and_port_80
1. I have used vNic_0 just for example purpose. You need to change it as per your requirement and as per egress or ingress traffic. For example, if two VMs are in same subnet, both will communicate over same logical switch but if these are in different subnets then traffic first will be in and out from and to one interface (vNic_0) and then in and out from and to second interface (vNic_1)
2. If you just want display the traffic and don't want to capture them then just replace the work capture with display in all the above commands.
That's it folks for now!
Any doubt, want to ask?