2011-09-13

netstat for ESXi

The title of the post is actually misleading - on purpose - because there is no netstat for ESXi. The reason that I bring this up today is because of a Twitter conversation from today regarding SSH access and VMkernel interfaces. I was looking to see which ports were open and what interfaces were listening.
But that is a different post.

What is netstat? according to Wikipedia:

netstat (network statistics) is a command-line tool that displays network connections (both incoming and outgoing), routing tables, and a number of network interface statistics. It is available on Unix, Unix-like, and Windows NT-based operating systems.

Why would you use it? For one thing for example, to check if a host has an open connection on a certain port, if it is listening on a certain port - for troubleshooting purposes would be the proper answer.

So how do you get that information on ESXi?

Trying netstat on an ESXi host does not work - because that command is not there - see the screenshot below.

No netstat

Well that is not good - if the command is not in the busybox console then how would you go about getting that information? Well of course the clever people at VMware have already thought about this and have exposed all this information through esxcli. William Lam wrote a great set of posts on esxcli
esxcli Part1 - What is esxcli?, esxcli Part2 - Automating esxcli using vMA and esxcli Part3 - Automating esxcli using PowerShell

This is how you would go about getting the information from esxcli. (Be aware the command differ according to the different versions - 4.x is not the same as 5.x)

esxcli network ip connection list

esxcli1

That is fine and dandy - but to get that info you need to either:

  1. have access to the DCUI (and have it enabled of course)
    or
  2. access remotely with SSH (and also have it enabled of course)

But what if you do not want to enable neither of the above - that means you have to do it remotelyand for that you have two options, vCLI or PowerCLI.

The vCLI way

esxcli --server esx1.maishsk.local network ip connection list

vcli1

But me being more of PowerCLI guy I would do it like this.

The PowerCLI way

$esxcli = get-esxcli -vmhost esx1.maishsk.local

$esxcli.network.ip.connection.list() | ft

PowerCLI1

Output is almost identical - just that in the case of PowerCLI the values are returned as a set of objects - a  VMware.VimAutomation.ViCore.Impl.V1.EsxCli.EsxCliObjectImpl object to be precise. Once these presented as objects I can start to mold and dice my results to my liking.

For example - I would like to check if there is any connections open on port 80 (http) - with vCli - this is not so simple - because you are working essentially in a DOS window - so filtering is not the easiest with findstr. Using the console or SSH is easier - a simple grep will work as you can see below.

esxcli network ip connection list | grep :80

esxcli2

With PowerCLI

$esxcli.network.ip.connection.list() | where { $_.LocalAddress -like "*:80" } | ft

PowerCLI2

I hope you can see that the options this way are pretty much endless - like filtering all connections to show only those from a specific IP, or a complete subnet.

So that is how you netstat on ESXi….