I recently ran into an issue where we needed to capture some packets from the vmk interface on a Nutanix/vSphere host. I found this great utility for that, pktcap-uw, however it only captures traffic in one direction by default. Thankfully I found someone with the info on how to run both incoming and outgoing captures at the same time.

SSH to the host Update the cmd below to reflect your vmk port or whatever you are trying to capture Run this cmd pktcap-uw --vmk vmk0 --dir 0 -o /tmp/vmk0_in.pcap & pktcap-uw --vmk vmk0 --dir 1 -o /tmp/vmk0_out.pcap & Shut down the capture after your done with this cmd kill $(lsof |grep pktcap-uw |awk '{print $1}'| sort -u) Use WinSCP to connect to the host Copy vmk0_in.pcap & vmk0_out.pcap files from /tmp/* Save them somewhere useful Open in wireshark Click File > Merge > pick the 2nd file And you should be presented with a capture with both incoming and outgoing packets.

Using the pktcap-uw tool in ESXi 5.5 and later (2051814)

@beandrew – his reply is what got this working for me