Solved

Promiscuous mode on Hyper-V vswitch - Wiresharking from within a VM

Posted on 2014-01-17
11
5,362 Views
Last Modified: 2014-11-12
Hi,

Setup:

Hyper-V host (2012) with an 'external'  vswitch configured against a physical NIC.

VM guest (various OS) work fine and can communicate fine. no issue with normal networking.

Query:
OK, so..... running Wireshark on the VM Guest can only pick up broadcast traffic etc, as it's 'behind'' a virtual switch that may be filtering out all the traffic seen by the NIC.
(Yes, The physical switch port is correctly set to mirror, confirmed by running Wireshark on a physical client.)

Anyone have any idea how to make a VM able to see all traffic, as if the NIC was assigned to it directly?

IE, the VM guest NIC should see all traffic flowing via the physical NIC.
0
Comment
Question by:Steve
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
  • 2
11 Comments
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 39788333
0
 
LVL 27

Author Comment

by:Steve
ID: 39788627
yes, I've seen that before but it doesn't cover my query.
I want to monitor traffic on the network in general, NOT just within the hyper-v environment.

That guide sets a VM as the source and another VM as the destination and would only apply if you could set the Physical NIC as the source, which it doesn't mention.
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 39788665
Hmmm I see what you mean now ... The only thing coming immediately to mind now is to use passthrough for the NIC to your VM, obviously this would make the NIC unavailable for the other VMs...
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 27

Author Comment

by:Steve
ID: 39799672
No problem with that. I could dedicate a NIC to it if necessary. Do you know how to do that?
0
 
LVL 39

Expert Comment

by:Philip Elder
ID: 39823246
If the vSwitch is set to External, whether shared by the host or not, any VM attached to that vSwitch should be able to "see" all inbound and outbound traffic on the network.

There are settings that pass through or accelerate certain guest activities on the physical NIC (Intel VT-x, VMQ, SR-IOV, ETC) but essentially the vSwitch is a passive entity.

Perhaps there is a firewall setup of some sort causing the "filtering" that you are seeing?

In my experience the vSwitch does not interfere in any way.

Philip
0
 
LVL 27

Author Comment

by:Steve
ID: 39834882
Hi Philip,

I see what you're trying to say, but it is still a 'switch'. This means the VM only sees traffic that the switch chooses to send to it, not everything.

We would be able to see everything if it were more of a vHub instead of a vSwitch, but a switch does 'filter' out traffic by design. That's standard layer 2 stuff.

Managed switches often have a port-mirror facility to get around this layer 2 filtering, but it's not looking like that's possible on a vSwitch.
0
 
LVL 39

Assisted Solution

by:Philip Elder
Philip Elder earned 250 total points
ID: 39836172
Understood.

TN: vSwitch Layer 2: http://bit.ly/1fuUETn

But, more to the point: http://bit.ly/1iqin9p
As we can see in this TN article there are a series of PowerShell commands that can be used to manage the vSwitch ACL setup for a VM.

That leads to: http://bit.ly/LyJcwo (Introducing the Hyper-V Extensible Switch)
This post talks about plugging into the switch and another way to manage it: Hyper-V Manager.

Perhaps what we are setting is that this neat new feature set is the victim of poor documentation? :)

Philip
14-02-05-EE---01-Hyper-V.PNG
0
 
LVL 27

Author Comment

by:Steve
ID: 39879486
Thanks Philip.
There's some interesting stuff there, and well worth a look, but I'm afraid it doesn't appear cover what I need.

So far everything in there is designed to allow traffic control (and even monitoring) between VMs as the switch element of the system still decides which traffic to send to the VM in the normal way.
There doesn't appear to be anything relating to allowing all traffic coming from the physical NIC to reach a VM even when it isn't intended for the VM, which currently makes a VM unsuitable for Wiresharking.
0
 
LVL 27

Accepted Solution

by:
Steve earned 0 total points
ID: 39920520
The answer appears to be that it is not possible to monitor traffic from the physical LAN from within a VM.

Some good general info on vswitches that's worth remembering, but doesn't achieve what I needed.
0
 
LVL 27

Author Closing Comment

by:Steve
ID: 39932325
Some useful info from Philip but nothing to solve the original question.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The reason that corporations and businesses use Windows servers is because it supports custom modifications to adapt to the business and what it needs. Most individual users won’t need such powerful options. Here I’ll explain how you can enable Wind…
Ransomware is a malware that is again in the list of security  concerns. Not only for companies, but also for Government security and  even at personal use. IT departments should be aware and have the right  knowledge to how to fight it.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question