wireshark and iscsi

hi

how can i sniff traffic on my iscsi san (vmware environment)

if i setup wireshark on a vm with promiscou mode - how can i get it to monitor the iscsi traffic on the iscsi san??
mikeleahyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sid_FCommented:
Take a look at this article http://thnetos.wordpress.com/2007/06/21/tutorial-sniffing-iscsi-traffic-for-a-spoofing-attack/
It should at least point you in the right direction
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
iSCSI Wireshark in a VM
This can be done fairly easily inside a VIrtual Machine.

1. Set the vSwitch to Promiscuous mode.
2. Create a new Virtual Machine Port Group with a special VLAN of 4095 (ALL).

What this does, is all traffic will be available for sniffing on that virtual machine network port group.

3. Connect your Wireshark VM to this new Portgroup in Networking of the VM (NIC).

 Promiscuous-mode-network.jpg
One of the biggest management holes in vCenter of ESX is the vSphere Client can indicate that VM network traffic is causing a 1 GB Ethernet adapter to have a 99% utilization rate. But strangely, it doesn't display which kind of traffic is going across the virtual networks, where it came from or where it's going.

To learn which traffic is going across a virtual network, there's a free tool for vSphere: Xangati for ESX, a virtual appliance that tracks conversations on the virtual network. It's great for troubleshooting any virtual network issue, analyzing virtual desktop infrastructure and correlating vCenter performance stats with virtual network stats.

and then you can really check what traffic from your 5 VMs for free is causing network issues.

It's available as a fanastic FREE download here.

http://xangati.com/try-it-free/
mikeleahyAuthor Commented:
thanks - will the promiscou mode enable the wireshark vm to sniff all traffic on the portgroup or the vswitch?

can you set the vswitch to promiscous mode and sniff all vswitch traffic then ?

the method above dosent say how to view iscsi traffic between the esx host and iscsi san - this traffic wont go through the vm - it will go via the kernel

so is best way to tcpdump on the vmkernel and use wireshark then to view that trace??
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Enable Promiscous mode at the Switch Level. (we enable Promiscous mode on the vSwitch and on the VM Portgroup)

Yes, you can sniff all traffic, that's what the VLAN 4095 is for!

If you setup the vSwitch as I've detailed above, you will be able to SNIFF iSCSI Traffic.

That Wireshark screen shot is from within a VM, Sniffing iSCSI Traffic and NFS traffic generated on the vSwitch, which has the VMKernel portgroup!

iSCSI Traffic is on the vSwitch! (VMKernel Interface, which is being sniffed)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
With Wireshark, just Enable Capture on the VM Interface!

and Hey Presto, you'll see iSCSI and NFS traffic on the vSwitch!

Can you see the iSCSI traffic in the Capture output of the Wireshark Screenshot?

This was generated as above.
mikeleahyAuthor Commented:
is it sniffing the iscsi traffic cos the vmkernel port is on the same vswitch as the wireshark vm?
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Yes.
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
as can be seen from the Networking Screenshot.
mikeleahyAuthor Commented:
last q before points

when you say With Wireshark, just Enable Capture on the VM Interface  - do you mean  start the capture on the local interface of the vm?
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Yes, that's it.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VMware

From novice to tech pro — start learning today.