Yes, you have to do it via SSH and not the GUI Diagnostics>Packet capture screen though, as it'll capture on the ng0 PPPoE interface. Just tcpdump as normal on the actual Ethernet interface being used for the PPPoE connection. Send it to file and pull it across to a machine with Wireshark for easier analysis. Something like:
tcpdump -i em0 -s 0 -w /tmp/pppoe.pcap
to grab everything on em0 to the file /tmp/pppoe.pcap
For normal ethernet, your snaplen (-s option) should be 1500 if you want the entire packet. That'll give you the entire packet, and allow full protocol decodes when loaded up into WireShark itself. Depending on what you're sniffing, you'll probably want to increase your filesize as well.
To get at least the headers of most packets, a snaplen of 200 is usually sufficient. It'll get the E_II, IP, TCP/UDP, and some of the higher level protocol headers.
There are a few types of connection resets, and each has its own meaning.
Resetting all existing connections immediately
This style of reset shows up in sniffs as a big block of RSTs being sent by the server, probably with very little traffic between the packets. This can be caused by an application above the TCP/IP stack resetting itself, which in turn tells the TCP/IP stack to kill all connection-handles associated with that module.
Resetting all existing connections when they have traffic
This shows up in the sniff with a more sneaky pattern. After a certain point, any time an existing connection receives traffic from a client station a RST packet is issued. What the client does then depends on the higher level protocol, perhaps a reconnection attempt is issued. This is usually caused by the TCP/IP stack itself silently losing connection state. As far as the stack is concerned, that packet from the client is not associated with any open connections so it just issues a RST packet and ignores it.
Resetting new connection attempts
Existing connections continue to work, but SYN packets are replied to with an RST. In normal operation this is done because there is no open port for the port listed on the SYN packet. This is typically caused by a fault in the higher level application.
As for your retransmits, those are caused by clients not receiving packets they expect to get. This can be caused by outright packet loss, or it could be that the server just isn't sending those packets at all. If your sniff on the server shows the retransmit packets, and listing the conversation shows no packets being sent by the server, it's a sign that something has gone wrong on the server itself. This can be related to faults in the higher level application, the TCP/IP stack, or the NIC driver itself. I've seen NIC driver updates fix this, but in a VM that's less likely to be the source of the problem.
Mass resets like that could be caused by resource exhaustion on the part of the server.
Best Answer
You can easily accomplish this with SysInternals' Process Monitor. Run it as Administrator, then configure it as follows: