wireshark and iscsi

Posted on 2011-10-05
Medium Priority
Last Modified: 2012-05-12

how can i sniff traffic on my iscsi san (vmware environment)

if i setup wireshark on a vm with promiscou mode - how can i get it to monitor the iscsi traffic on the iscsi san??
Question by:mikeleahy
  • 6
  • 3

Expert Comment

ID: 36915946
Take a look at this article http://thnetos.wordpress.com/2007/06/21/tutorial-sniffing-iscsi-traffic-for-a-spoofing-attack/
It should at least point you in the right direction
LVL 124
ID: 36915991
iSCSI Wireshark in a VM
This can be done fairly easily inside a VIrtual Machine.

1. Set the vSwitch to Promiscuous mode.
2. Create a new Virtual Machine Port Group with a special VLAN of 4095 (ALL).

What this does, is all traffic will be available for sniffing on that virtual machine network port group.

3. Connect your Wireshark VM to this new Portgroup in Networking of the VM (NIC).

One of the biggest management holes in vCenter of ESX is the vSphere Client can indicate that VM network traffic is causing a 1 GB Ethernet adapter to have a 99% utilization rate. But strangely, it doesn't display which kind of traffic is going across the virtual networks, where it came from or where it's going.

To learn which traffic is going across a virtual network, there's a free tool for vSphere: Xangati for ESX, a virtual appliance that tracks conversations on the virtual network. It's great for troubleshooting any virtual network issue, analyzing virtual desktop infrastructure and correlating vCenter performance stats with virtual network stats.

and then you can really check what traffic from your 5 VMs for free is causing network issues.

It's available as a fanastic FREE download here.


Author Comment

ID: 36916327
thanks - will the promiscou mode enable the wireshark vm to sniff all traffic on the portgroup or the vswitch?

can you set the vswitch to promiscous mode and sniff all vswitch traffic then ?

the method above dosent say how to view iscsi traffic between the esx host and iscsi san - this traffic wont go through the vm - it will go via the kernel

so is best way to tcpdump on the vmkernel and use wireshark then to view that trace??
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

LVL 124

Accepted Solution

Andrew Hancock (VMware vExpert / EE MVE^2) earned 2000 total points
ID: 36916351
Enable Promiscous mode at the Switch Level. (we enable Promiscous mode on the vSwitch and on the VM Portgroup)

Yes, you can sniff all traffic, that's what the VLAN 4095 is for!

If you setup the vSwitch as I've detailed above, you will be able to SNIFF iSCSI Traffic.

That Wireshark screen shot is from within a VM, Sniffing iSCSI Traffic and NFS traffic generated on the vSwitch, which has the VMKernel portgroup!

iSCSI Traffic is on the vSwitch! (VMKernel Interface, which is being sniffed)
LVL 124
ID: 36916357
With Wireshark, just Enable Capture on the VM Interface!

and Hey Presto, you'll see iSCSI and NFS traffic on the vSwitch!

Can you see the iSCSI traffic in the Capture output of the Wireshark Screenshot?

This was generated as above.

Author Comment

ID: 36916424
is it sniffing the iscsi traffic cos the vmkernel port is on the same vswitch as the wireshark vm?
LVL 124
ID: 36916446
LVL 124
ID: 36916451
as can be seen from the Networking Screenshot.

Author Comment

ID: 36922882
last q before points

when you say With Wireshark, just Enable Capture on the VM Interface  - do you mean  start the capture on the local interface of the vm?
LVL 124
ID: 36923512
Yes, that's it.

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I will show you HOW TO: Suppress Configuration Issues and Warnings Alert displayed in Summary status for ESXi 6.5 after enabling SSH or ESXi Shell.
In this article, I will show you HOW TO: Create your first Windows Virtual Machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, the Windows OS we will install is Windows Server 2016.
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Suggested Courses
Course of the Month16 days, 23 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question