NSX-T Edge Transport Node Packet Captures

NSX-T Edge nodes have a rudimentary packet capture tool built in to the box. It is important to have a built-in tool here, as GENEVE encapsulation will wrap just about everything coming out of a transport node.

NSX-T's CLI guide indicates the method for packet captures - from here we can break it down to a few steps:

• Find the VRF you want to capture from
• Find the interface in that VRF you want to capture from
• Capture from this interface!

get logical-routersvrf {{ desired VRF }}get interfacesset capture session 0 interface {{ interface-id }} direction dualset capture session 0 file example.pcap

The result will be placed in:

/var/vmware/nsx/file-store/

I do have some notes to be aware of here:

• Be careful with packet captures! This is on an all-CPU router - so isolating the device before capturing packets is a wise choice. We can do that with NSX-T, we just need to remember to.
• It's possible to use tcpdump-based packet filters instead of a wholesale capture - just replace the final line with a command similar to this:

set capture session 0 file example.pcap expression port 179