Tech Line
Virtual Network Sniffing Summary
Here’s how to monitor and capture data on virtual networks.
Chris: I have a few questions about virtual network behavior in VMware. I’m trying to perform some tests using data capture tools and came upon the vnetsniffer.exe tool from VMware. Is this a useful tool for troubleshooting, or do you recommend something else? Also, can you tell me if promiscuous mode captures are possible over virtual networks? I can probably perform some of my own testing on this but, to be honest, I’m too lazy.
— Joseph
Tech Help—Just An
E-Mail Away |
|
Got a Windows, Exchange or virtualization question
or need troubleshooting help? Or maybe you want a better
explanation than provided in the manuals? Describe
your dilemma in an e-mail to the MCPmag.com editors
at mailto:[email protected];
the best questions get answered in this column and garner
the questioner with a nifty MCPmag.com baseball-style
cap.
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message, but submit the requested
information for verification purposes.)
|
|
|
Joseph, first I must say that I appreciate your honesty. For a minute I thought that I’d say that I’m too lazy too and leave it up to my readers to fill in the blanks, but I don’t think that my editor would appreciate that. [Editor's Note: Good call, Chris!] So let me get on with the answer.
Let’s start with vnetsniffer.exe. On Windows VM hosts running either VMware Workstation or VMware GSX server, you can find the vnetsniffer.exe tool in the default installation folder, such as "C:\Program Files\VMware\VMware Workstation." When run, this tool will provide you with very basic information about network communications over a virtual network, such as source and destination addresses and transport protocol (TCP or UDP). When run with the /e switch, the source and destination MAC addresses are also displayed. The tool does not display source or destination ports.
Here’s an example of running vnetsniffer to capture traffic on the virtual host only network:
vnetsniffer vmnet1
For VMs bridged to the physical LAN interface on the host, you would specify vmnet0 as the target network. Here’s a sample of what you can expect to see as output from the tool:
IP src 192.168.0.100 dst 192.168.0.5 TCP
IP src 192.168.0.5 dst 192.168.0.100 TCP
IP src 192.168.0.100 dst 192.168.0.5 TCP
IP src 192.168.0.5 dst 192.168.0.100 TCP
As you can see, not much information is being displayed. However, the good news is that your VMware virtual networks are interconnected with virtual hubs. This means that you can run a capture tool in promiscuous mode and capture all traffic on a virtual network. Also, with host only networking enabled, you can use a tool such as Ethereal to capture all virtual network data from the host system. I tried to capture all virtual network data from the host for VMs connected to a bridged network and was not successful. So for a true promiscuous mode capture from the host, you should configure the VMs to connect to the host only network. If you are using bridged networking, a work-around would be to just run Ethereal and get a capture from within a VM. This approach can allow you to get a promiscuous mode capture on both host only and bridged networks.
For detailed analysis of traffic on virtual networks, I recommend using a tool such as Ethereal, since it will give you much more detail than you will see in vnetsniffer.exe. With the promiscuous mode capture, you’ll be able to capture all of the traffic on a complete virtual network (whereas without promiscuous mode you’ll only capture traffic to or from the actual interface on which Ethereal is bound).
For the Virtual Server 2005 users out there, you can also perform promiscuous mode captures by running Ethereal on any VM attached to a virtual network. Like with VMware bridged networks, you won’t have much luck running promiscuous mode captures from the host.
So if all you want is basic traffic flow analysis, vnetsniffer.exe will probably suffice. For advanced capturing and analysis, using a tool such as Ethereal is definitely the way to go. Since virtual networks are interconnected using virtual hubs, true promiscuous mode captures can be made by running a tool such as Ethereal from within a VM. As I mentioned before, you can also perform promiscuous mode captures from a VMware host over the virtual host only Ethernet adapter.
I’m sure some of you readers have some other cool scanning and capturing tricks for virtual machines. If so, please post them as comments to this article.