Home > Lab, VMware > Network sniffing in VMware ESXi

Network sniffing in VMware ESXi

2011/05/20

VMWare ESXi is perfect for a self contained lab, but as I’m used to having full access to a ‘real’ network there are a few things I miss not having control over for testing and other things. The biggest of these is a spanf port (or mirror port depending on your hardware). If you’re not familiar, the basic premise is to configure one (or more ports) to reproduce any traffic flowing through any port(s). This provides packet level access for debugging network problems, passing to an I[D/P]S, etc.

ESXi doesn’t provide this functionality, but does allow you to set a vSwitch to be ‘promiscuous’. Unfortunately this isn’t as controllable as a span/mirror port as (from the quick tests I’ve run) essentially turns the vSwitch into a vHub. Not a problem in my lab environment but you probably want to give it some serious thought before enabling in a production environment; do you really want every server on the network to be able to see all traffic on the (virtual) wire?

To make the change in ESXi you need host -> Configuration -> Networking and set the properties as shown below:

vSwitch properties

vSwitch properties

Once this change is made, any guests connected to the vSwitch can all see any of the network traffic on that switch.

For testing you can build a quick lab scenario with 3 live boot BackTrack systems. Each machine has a different role; server, client and ‘sniffer’. The sniffing machine is now able to view direct communication between the other two systems. Using wireshark’s Follow TCP stream functionality shows the conversation:

sniffed TCP stream

sniffed TCP stream

–Andrew Waite

Advertisements
Categories: Lab, VMware
  1. Anas
    2012/08/10 at 11:02

    Could you explain to me, what does “MAC adress changes” “forged transmits” options means.
    Thank you.

  1. No trackbacks yet.
Comments are closed.
%d bloggers like this: