Recently I have been assigned to a XenApp & XenDesktop Project; which levergaed XenServer as the Hypervisor.
For troubleshooting purposes, I needed to capture some network traces from the XenServer. I had no clue on
the how to. I felt down, but nothing a Google search didn’t remedy. But just to make life easier, I have
compiled a prescription for you that is guaranteed to put you back up on your feet in no time. When using XenServer 5.6 FP1 the below steps are only valid when the Open V-Switch is not enabled.

Tcpdump can be used to capture the network traces.

  • To perform a network trace on a XenServer PIF
    Identify the PIF to run the trace on.
xe pif-list host-name-label=XenServer-Name

Make use of the Auto-Fill option by pressing the TAB button
[root@xs56dxb1 ~]# xe pif-list host-name-label=XS56DXB1
uuid ( RO) : 9621c91c-3682-c047-25a5-3184ab871d76
device ( RO): eth0
currently-attached ( RO): true
VLAN ( RO): -1
network-uuid ( RO): bfc5b27b-ea93-057d-9417-d5e2fff3a5a1
uuid ( RO) : fc79e1b3-a7ec-66e0-7799-3a5489bc5cb5
device ( RO): eth1
currently-attached ( RO): true
VLAN ( RO): -1

network-uuid ( RO): a72d02b6-52ac-0392-5448-3c348790eaeadevice ( RO) : eth0
network-uuid ( RO): a72d02b6-52ac-0392-5448-3c348790eaea

To run an unfiltered network trace on the identified PIF and write it to a file
Run the following command from the command line:

tcpdump --i <device> --w /<path to file>
 

Example: tcpdump --i eth0 --w /eth0trace

[root@xs56dxb1 ~]# tcpdump -i eth0 -w/eth0trace
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
^C2760 packets captured
2761 packets received by filter

0 packets dropped by kernel

To stop a running trace, press Ctrl + c.



Also you can choose verbose mode and not write it to a file if the -w siwtch is ignored and not used

[root@xs56dxb1 ~]# tcpdump -i eth0
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
11:25:57.283944 IP 172.31.253.10.https > 172.31.253.154.49760: . 3804653694:3804656910(3216) ack 1266491020 win 276
11:25:57.284251 IP 172.31.253.154.49760 > 172.31.253.10.https: . ack 3216 win 22929
11:25:57.284269 IP 172.31.253.10.https > 172.31.253.154.49760: . 3216:5896(2680) ack 1 win 276

11:25:57.284493 IP 172.31.253.10.49167 > 172.31.253.20.domain: 57133+ PTR? 154.253.31.172.in-addr.arpa. (45)

To stop a running trace, press Ctrl + c.


If you wish to include the packet header as well as the entire contents of the data payload in the trace, use the --s 0 switch in the command.

tcpdump --i <device> -s 0 --w /<path to file>

Example: tcpdump --i eth0 --s 0 --w /piftracefile
To stop a running trace, press Ctrl + c.

You can also perform network traces on a virtual bridge:

Identify the bridge to be traced by using the brctl show will list bridge name and bridge id STP enabled interfaces

[root@xs56dxb1 ~]# brctl show
bridge name        bridge id                  STP enabled      interfaces
xapi2                 8000.001aa0284351   no                   eth0.515
xenbr0               8000.001aa0284351   no                   eth0
                                                                            vif5.0
                                                                            vif6.0
                                                                            vif7.0
                                                                            vif8.0
xenbr1              8000.001aa0284353    no                   eth1

  • Once you have identified the bridge name
    Run the following command from the command line:
tcpdump --i <bridge> --w /<path to file>
 

Example: tcpdump --i xapi2


To perform a network trace of a XenServer VM vif, follow the steps below:
Note: VIF names are dynamically created on VM start. Vif names are constructed with the following structure vifx.y, where x is the domain id of the VM and y is the device number. The dynamic part of the name is the domain ID because it may change on VM start.

  • Identify the VM domain ID for the VM to trace.
xe vm-list name-label=<name of vm> params=dom-id

Press the TAB to populate the list of running Virtual machine names and choose the VM

[root@xs56dxb1 ~]# xe vm-list name-label=Windows\ Server\ 2008\ R2\ x64\ -\ DBIT-VMPVS01 params=dom-id

dom-id ( RO) : 5






  • Then Identify the VIF device number for the VM to trace by running
xe vif-list vm-name-label=

Press the TAB to populate the list of running Virtual machine names and choose the VM

[root@xs56dxb1 ~]# xe vif-list vm-name-label=Windows\ Server\ 2008\ R2\ x64\ -\ DBIT-VMPVS01
uuid ( RO) : c170e3dd-3029-7b3b-8d34-caeb129bf045
vm-uuid ( RO): 574356d1-3861-4630-df62-983923df9c9f
device ( RO): 0

network-uuid ( RO): bfc5b27b-ea93-057d-9417-d5e2fff3a5a1



So now we know that it is dom-id=5 and device number=0


Run the following command from the command line:

tcpdump --i vif<dom-id>.<device>

Example: tcpdump --i vif5.0

[root@xs56dxb1 ~]# tcpdump -i vif
vif5 vif6 vif7 vif8
[root@xs56dxb1 ~]# tcpdump -i vif5.0
tcpdump: WARNING: vif5.0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vif5.0, link-type EN10MB (Ethernet), capture size 96 bytes
12:26:36.643694 IP 172.31.253.102.51338 > 172.31.253.21.ms-sql-s: P 1950512818:1950513394(576) ack 2146438248 win 253
12:26:36.646995 IP 172.31.253.21.ms-sql-s > 172.31.253.102.51338: P 1:66(65) ack 576 win 64265

12:26:36.861847 IP 172.31.253.102.51338 > 172.31.253.21.ms-sql-s: . ack 66 win 252

To stop a running trace, press Ctrl + c