When you’re troubleshooting network issues, it’s often extremely helpful to view and analyze packet captures. The de-facto tool for this is the open-source Wireshark, which has an extensive protocol decoding capability. So, as a Proxmox user, it would be nice to be able to analyze VM networking issues using Wireshark.

Unfortunately for us, Wireshark is a graphical application and Proxmox’s web UI doesn’t support it. However, we can use the command-line tool tcpdump to create a pcap file, and then analyze that file in Wireshark.

To do this, we need to know what interface on the Proxmox system corresponds to the net interface on our VM. Looking at the VM’s Hardware pane, we can see the net0 and net1 interfaces in this example. Take note of that number, it’s important.

VM Hardware Pane

For net0 of VM 501, the Linux device we need to capture will be named tap501i0. This is located between the Proxmox firewall and the VM, if you have the firewall enabled (you probably should use it, it’s a great tool). Conceptually it looks like this:

Firewall Diagram

So, finally, to capture traffic, run tcpdump from the Proxmox shell.

TCPdump command

For this example, the command is tcpdump -i tap501i0 -n -w <filename>.pcap. You can use whatever file name you want. Use Ctrl+C when you are all done.

To copy the file off, you can use scp, or store move the file to a network location you have access to. Network storage in Proxmox is mounted at /mnt/pve/, fyi.

Man Page for tcpdump in case you need it