Cisco Nexus 1000V Switch for VMware vSphere

Capture Traffic with the vempkt Command on Nexus 1000V Series Switches

Document ID: 115763

Updated: Feb 27, 2013

Contributed by Joey Ristaino, Chris Brown, and Joe LeBlanc, Cisco TAC Engineers.



This document describes the use of the vempkt command in order to capture traffic on Nexus 1000V Series Switches.

It is difficult to troubleshoot issues on the Nexus 1000V Series Switches because there is no physical switch to put your hands on. Much of the time, a packet capture is necessary in order to determine if the packets are sent upstream.



Cisco recommends that you have knowledge of these topics:

  • Cisco Nexus 1000V Series Switches

  • Cisco NX-OS Software

Components Used

The information in this document is based on Nexus 1000V Series Switches.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.


Refer to Cisco Technical Tips Conventions for more information on document conventions.

vempkt Commands

A useful command available to capture traffic that leaves a specific host in the Nexus 1000V Switch is the vempkt command. This command is very similar to a SPAN session; however, it is more flexible because it can be applied to any interface without the need for a capture device.

Begin Capture

In order to capture traffic, enter the vempkt SSH command on the command line of the ESX host that has the virtual machine (VM) for which you want to capture traffic. After you enter this command, then enter these commands:

vempkt show info - this shows information from the most recent capture.

vempkt capture all-stages vlan [y] ltl [x]

LTL is the Local Target Logic for the link. If you do not know the LTL or the VLAN, enter the vemcmd show port command and the vemcmd show port vlans command. Cisco recommends the LTL of the port channel because it includes all traffic that leaves the host and enters the host.

You can also capture one direction or dropped packets entering this command:

vempkt capture [ingress | egress | drop | all-stages] ltl [x] vlan [y]

Note: If an LTL is not specified, the capture shows all LTLs, and if a VLAN is not specified, the capture shows all VLANs.



Enter the vempkt size [mtu size] command to specify a maximum transmission unit (MTU) size capture.

Enter the vempkt show capture info command to verify your capture parameters.


Enter the vempkt start command to begin the capture.

End Capture

After you complete the operations for the capture, enter these commands in order to end the capture and export the file:

  1. vempkt stop.

  2. vempkt show info to display the statistics of the capture.

  3. vempkt display detail all > /tmp/vempkt_capture.txt. This command places the capture file into the /tmp directory of the host. From this directory, you can copy it onto a datastore and export it through vCenter.

  4. vempkt clear.

File Export

You can export the file to a packet capture (PCAP) from the CLI. Enter this command on the host: #vempkt pcap export <filename>. This command places the file in the directory in which you are currently located.

Related Information

Updated: Feb 27, 2013
Document ID: 115763