This article describes how to capture mirrored network traffic in an Esxi environment using a virtual switch. It outlines configuration steps, including setting security policies to promiscuous mode and correctly configuring the VLAN ID.
Under Esxi environment, the vSwitch (Virtual Switch) can be used to capture mirroring network traffic by setting its Security policy to promiscuous mode, as shown in the figure below:
And it also needs to set the port group to be of this particular vSwitch, and choose Inherit from vSwitch of the Security policy also, as show in figure below:
Finally under a particular VM (virtual machine), the network adapter of the VM needs to be set to the corresponding port group as:
Once the vSwitch, port group and the VM’s network adapter are correctly configured, and the specified network adapter within the VM operating system is also set to promisc mode, the adapter should then be capable of capturing network traffic that is mirrored to the vSwitch.
However, if you attempt to capture the traffic at this point, say with tcpdump, you’ll observe that the capture is incomplete. It only captures one-way network traffic, specifically from the client to the server, with server responses missing. This is depicted in the figure below:
This issue is due to an improper configuration of the VLAN ID within the port group. By setting the VLAN ID to 4095, you will be able to capture the complete network traffic, as shown in the figure below:
