Dear Community Please advise. Wireshark 3.3.0 installed to VM vmware 6.7 NIC - vmxnet3 10Gb Wireshark installed normally and seems works. But it is STOPs to catch traffic after 10-30 sec Just starts, capture a bit and stops catching. GUI works but traffic not arrive to main window Thank you much in advance Regards, Andrii [email protected]
Appears that capture is working and it is a storage problem.
Storing large captures to esxi OS partitions is probably not good.
/tmp is 256M which matches when capture ends in the last comment above.
[root@esx1:~] vdf -h | tail -10
-----
Ramdisk Size Used Available Use% Mounted on
root 32M 2M 29M 7% --
etc 28M 184K 27M 0% --
opt 32M 0B 32M 0% --
var 48M 340K 47M 0% --
tmp 256M 64K 255M 0% --
iofilters 32M 0B 32M 0% --
shm 1024M 0B 1024M 0% --
hostdstats 569M 3M 565M 0% --
Using /scratch is a better practice. The article below works through verifying the current location and how to configure if not present. If on a datastore check available space and configure total capture size to not overfill.
Creating a persistent scratch location for ESXi 7.x/6.x/5.x/4.x
"VMware recommends that ESXi has a persistent scratch location available for storing temporary data including logs, diagnostic information, and system swap."
Dear Chuckc 1)Thank you much for your attention and help I will try to implement those feature ASAP (Need to arrange services temporarily stop and reboot host) 2) What would you recommend regarding Wireshark in this case ? Any setting which also allows to direct output to /scratch (or other location as Wireshark installed to VM ) And how to achieve data rotation to avoid overfilling ? Regards, AntexMv
Asked: 2020-09-24 09:59:37 +0000
Seen: 755 times
Last updated: Sep 27 '20
Wireshark will use dumpcap in the background for the packet capture. Can you make a capture from the command line using
dumpcapand does it have the same issue?Dear Chuckc Thank you for your attention to my question I will try to check with dumpcap when come back to work On other hand, I read that npcap or winpcap should be used in virtual environment Also we need to take in consideration vmxnet is 10Gb vnic I also found that vmware support recommend to use internal capture tools Please correct if I am wrong Thank you for your support Regards, AntexMv
Capturing and Tracing Network Packets by Using the pktcap-uw Utility
Looks like
pktcap-uwis tightly integrated and very flexible.The default output format is
pcap. When using--ngforpcapngit added a packet comment to each packet (example):Yes, dumpcap, which is the packet capture utility that comes with Wireshark, does use WinPcap or Npcap, depending on which one you have installed. Which one do you have installed?
Using dumpcap remove all the extra Wireshark code from the code path when capturing, so that it'd be easier to see whether the problem is in dumpcap, Wireshark, or WinPcap/Npcap.
Dear Chuck Thank you for your support I checked dumpcap alone without wireshark I check under Administrator credentials, also using CLI and GUI In all cases behavior the same - few seconds catching traffic and stops Any idea ? Regards, AntexMv