How to capture network traffic from/to virtual machine running on VMware ESXi host.
This method uses pktcap-uw tool which is available in ESXi 5.5 and later.
First enable SSH on your VMware ESXi host.
Connect to ESXi host via SSH.
List running virtual machines and check World-ID:
Assuming that our VM has Wordl-D: 47220
Check switchport ID for found World-ID:
Assume that it will return following Port ID: 33554452
Use below commands for capturing network traffic.
Use --dir option (0 or 1) to distinguish between inbount or outbound network traffic
You can use two separate SSH session to host to perform both commands in the same time.
pktcap-uw --switchport 33554452 --dir 1 -o tmp-out.pcap
pktcap-uw --switchport 83886118 --dir 1 -o tmp-out.pcap
Next, you will have to merge it into single pcap file using Wireshark or tshark on your computer.
Proper packet order in merged file will be kept because every packet in pcap file has its own timestamp.
References:
https://kb.vmware.com/s/article/2051814