�Packet Capture and Trace command usage:
== Create session to capture packets ==
pktcap-uw [--capture [,capture point]...
| [--dir <0|input|1|output|2|inputAndOutput>]
[--stage <0|pre|1|post>] [-K|--kernelside]]
[--switchport | --vmk | --uplink |
--fcport [fastpathSwitchID.] |
--dvfilter |
--overlay ]
[--lifID ]
[-f [module name.][:offset]]
[-AFhP] [-p|--port ]
[-c|--count ] [-s|--snapLen ]
[-G ]
[-C ]
[-o|--outfile ] [--console]
[Flow filter options]
== Create session to trace packets path ==
it can trace up to 32 level from pkt allocation and record up to 12 IOChain or portID
pktcap-uw --trace
[-AFhP] [-p|--port ]
[-c|--count ] [-s|--snapLen ]
[-G ]
[-C ]
[-o|--outfile ] [--console]
[Flow filter options]
The command options:
-p, --port
Specify the port number of vsocket server.
-G,
Specify the seconds to rotate the outfile.
-C,
-o, --outfile
Specify the file name to dump the packets. If unset,
output to console by default. If '-', then stdout is used.
-P, --ng (only working with '-o')
Using the pcapng format to dump into the file.
--console (by default if without '-o')
Output the captured packet info to console.
-s, --snaplen
Only capture the first packet buffer.
The minimum snap length is 24 bytes. However, setting
snaplen to 0 will capture entire packet.
-c, --count
How many count packets to capture.
-h
Print this help.
-A, --availpoints
List all capture points supported.
-F
List all dynamic capture point functions supported.
-4
Capture only IPv4 Packet.
-6
Capture only IPv6 Packet.
--capture
Specify the capture point. Use '-A' to get the list.
If not specified, will select the capture point
by --dir and --stage setting
The switch port options:
(for Port, Uplink and Etherswitch related capture points)
--switchport
Specify the switch port by ID
--fcport [fastpathSwitchID.]
Specify the fastpath port by ID
--lifID
Specify the logical interface id of VDR port
--vmk
Specify the switch port by vmk NIC
--uplink
Specify the switch port by vmnic
The capture point auto selection options without --capture:
--dir <0|input|1|output|2|inputAndOutput> (for --switchport, --vmk, --uplink, --fcport)
The direction of flow, with respect to the vswitch:
0- Input: to vswitch (Default), 1- Output: from vswitch, 2- Input and Output
--stage <0|pre|1|post> (for --switchport, --vmk, --uplink, --dvfilter, --overlay)
The stage at which to capture: 0- Pre: before, 1- Post: after
--kernelside (for --uplink)
The capture point is in kernel instead of in driver.
This option is always true and no longer required.
The capture point options
-f [module name.][[:offset]|[:line number]]
The function name and the offset/line number in the function.
The default module name is 'vmkernel'.
The default offset into the function is 0 (the beginning of the function).
The line number must start with letter 'L' if it's file related
line number, or 'F' for function related line number.
(for 'Dynamic', 'IOChain' and 'TcpipDispatch' capture points)
--dvfilter
Specify the dvfilter name for DVFilter related points
--overlay
Specify the overlay class name for 'Overlay' capture point
--pkt-list-param-idx
Specify the pktList index in function's parameter table, starting from 1
--pkt-param-idx
Specify the pkt index in function's parameter table, starting from 1
--port-id-param-idx
Specify the portId index in function's parameter table, starting from 1
--switchport option is required to filter packets by port ID
--mbuf-param-idx
Specify the mbuf index in function's parameter table, starting from 1
--mbuf-array-param-idx
Specify the mbuf array index in function's parameter table, starting from 1
--num-mbufs-param-idx
Specify the mbuf array size index in function's parameter table, starting from 1
--vprobe-pkt-list
If function offset is specified in '-f' argument, this is the vprobe
expression to access the pointer to pktList, e.g. "rax+18"
If file/function relative line number is specified in '-f' argument,
this is the C expresstion to access pktList, all variables must start
with '$' sign, e.g. "$pktListPtr"
--vprobe-pkt
Vprobe/C expression to access the pointer to pkt, e.g. "rax+18"
or "$pkt", see argument --vprobe-pkt-list for details.
--vprobe-port-id
Vprobe/C expression to access switch port id, e.g. "rax+18"
or "$portID", see argument --vprobe-pkt-list for details.
--vprobe-mbuf
Vprobe expression to access mbuf, e.g. "rax+18"
or "$mbufPtr", see argument --vprobe-pkt-list for details.
--vprobe-mbuf-array
Vprobe expression to access mbuf array, e.g. "rax+18"
or "$mbufArray", see argument --vprobe-pkt-list for details.
--vprobe-num-mbufs
Vprobe expression to access number of mbufs in the array, e.g. "rax+18"
or "$numMbufs", see argument --vprobe-pkt-list for details.
--vprobe-symdbs
The parent directory of the symbol database.
--no-vprobe
Don't emit vprobe script to assist packet capture, the capture
function itself has dynamic capture point inserted
--compile-only
Print the vprobe script to standard output and exit
--script
Start vprobe with the input .emt file to filter packets
Flow filter options, it will be applied when set:
--srcmac
The Ethernet source MAC address.
--dstmac
The Ethernet destination MAC address.
--mac
The Ethernet MAC address(src or dst).
--ethtype 0x
The Ethernet type. HEX format.
--vlan
The Ethernet VLAN ID, one of 0-4095.
--srcip ]>
The source IPv4/IPv6 address.
--dstip ]>
The destination IPv4/IPv6 address.
--ip
The IPv4/IPv6 address(src or dst).
--proto 0x
The IPv4/IPv6 protocol.
--srcport
The TCP source port.
--dstport
The TCP destination port.
--tcpport
The TCP port(src or dst).
--srcudpport
The UDP source port.
--dstudpport
The UDP destination port.
--udpport
The UDP port(src or dst).
--vni
The VNI of flow, one of 0-16777215.
--vxlan
The vxlan id of flow. This option is depreciated, use 'vni' instead.