When you’re troubleshooting network issues, it’s often extremely helpful to view and analyze packet captures. The de-facto tool for this is the open-source Wireshark, which has an extensive protocol decoding capability. So, as a Proxmox user, it would be nice to be able to analyze VM networking issues using Wireshark.
Unfortunately for us, Wireshark is a graphical application and Proxmox’s web UI doesn’t support it. However, we can use the command-line tool
tcpdump to create a pcap file, and then analyze that file in Wireshark.
To do this, we need to know what interface on the Proxmox system corresponds to the net interface on our VM. Looking at the VM’s Hardware pane, we can see the
net1 interfaces in this example. Take note of that number, it’s important.
net0 of VM 501, the Linux device we need to capture will be named
tap501i0. This is located between the Proxmox firewall and the VM, if you have the firewall enabled (you probably should use it, it’s a great tool). Conceptually it looks like this:
So, finally, to capture traffic, run
tcpdump from the Proxmox shell.
For this example, the command is
tcpdump -i tap501i0 -n -w <filename>.pcap. You can use whatever file name you want. Use Ctrl+C when you are all done.
To copy the file off, you can use
scp, or store move the file to a network location you have access to. Network storage in Proxmox is mounted at /mnt/pve/