I have an issue I am trying to track down and I believe the problem is with physical networking hardware. I have read the VMWare documentation on the pktcap-uw command and I know I can use it to dump the traffic to a file which can then be viewed with Wireshark, but the pcaps I am getting are a little weird.
Looking at the documentation, I want to see traffic only between two IP addresses (IP A and IP B) on port 80 and I can use the --ip switch, but if I have --ip A --ip B, is that a boolean AND or a boolean OR.
tcpdump allows you to specify OR or AND and use parenthesis to do a full boolean expression. For pktcap-uw there is also --dstip and --srcip, but if you use the tcpdump equivelant, you would normally get only half the conversation.
What would be the correct syntax?
I just tested with pktcap-uw.
When you specify --ip two times, only the last specified option is used.
If you specify different types of options, eg. --ip and --tcpport, they are ANDed.
There are some VProbe options to pktcap-uw. My best guess for going forward would be that you may be able to manually compile a VProbe script that filters the traffic that you want and feed it to pktcap-uw.
Found a git repository with a VProbe toolkit here: https://github.com/vmware/vprobe-toolkit/