How to capture with Wireshark in VMware

You can capture traffic to/from a virtual host in VMware in a variety of ways. Keep in mind that some of the changes mentioned here may result in a brief outage while they are being put in place. I have yet to have that happen to me in a production situation but it could happen.

1) Directly on host

This is just like you were running on an actual physical host. While this might be the easiest way of getting a packet capture done, it might not be possible because you may not have access to the machine due to a variety of reasons. if you can directly capture at a host, make sure that you plenty of disk space. Depending on the type of problem you may need to diagnose, you may need a good amount of disk space to get the information you are looking for.

2) Using a Standard Switch

This is one of two virtual switches that you will find probably encounter in a VMware environment. For those without a VMware background, this is a switch that resides on a single physical VMware host. Just like a switch that has multiple vlan’s present, that is also the case with a VMware Standard Switch. In this case the name you will see is Port Group. This is where you assign a plan to the ports that the virtual hosts are connected.

The trick to doing a packet capture with standard switch is to create a port group with a different name but assigning it to the same vlan number is the port group that the virtual host is already one. Once you have the port group created, go into the properties for that port group and enable Promiscuous Mode. Save your changes. Assign the server to this temporary port group. VMware Admins will understand this request as “vMotioning” the server to the new port group. With luck you will see little to no packet loss during the move. The time to emotion the server between port groups can be as little as 20 seconds to as much as several minutes depending on other VMware management activity or the speed of the CPUs on the particular physical host. Once the vMotion process has finished, verify that the server still has network connectivity.

If there isn’t a VM available with Wireshark installed, get one created, patched and configured. To make the network card in your sniffing VM passive and not broadcasting its own traffic is to disable all of the protocol bindings for the network card in the sniffing VM. If you use a client OS such as Windows 7, 8 or 10, you will using a single network card. Client OS’s don’t usually deal with multiple network cards since they wont have routing protocols available. Your VMware Admin can give you console access through the vSphere or vCenter web client. Your VMware Admin may want to move some of the other VM’s residing on the host that your source and capture VM’s reside on as the capture VM may generate significant CPU utilization and potentially slow down the CPU for other VM’s.

If you using a Server OS as your capture vm client, you can access the vm via the secondary nic using RDP, TeamViewer or whatever system that you prefer to use.

3) Using a Distributed Switch

The Distributed type of switch is available only when you are using vCenter Server with the appropriate license to manage multiple vSphere hosts. The Distributed switch spans across all vSphere hosts. With a distributed switch, you have the option of doing port mirroring similar to what you are familiar with on Cisco or other managed type switches. Highlight the Distribute Switch and edit the settings of the switch. Look for the tab that is labeled Port Mirroring.

Since there probably aren’t any port mirroring sessions configured at this point, all detail fields will probably be empty. Click on the Add button to start the process of creating a monitor session. You can enter the name and a description. In case you need to re-use this port mirror setup at a later time, you might want to give it a name that means something. That might help it from being removed by another Admin because they don’t know what it is being used for.

Your next step is to add a source port. The first thing needed will the port ID number that the VM is on that you want to capture the traffic from. Your can find this out by click on the Distributed Switch and looking at the Ports tab to identified the port you need to select. Under the Traffic Direction tab, you will want to select Ingress and Egress to capture both traffic directions unless you are only looking at a specific direction.

The next item to configure is the destination. The options for this are either another VM or an unused uplink port. Using an unused physical uplink port gives you the option of using an external device to capture the traffic.

Just like the standard switch scenario, you will need to setup some type of capture VM. If there isn’t a VM available with Wireshark installed, get one created, patched and configured. To make the network card in your sniffing VM passive and not broadcasting its own traffic is to disable all of the protocol bindings for the network card in the sniffing VM. If you use a client OS such as Windows 7, 8 or 10, you will using a single network card. Client OS’s don’t usually deal with multiple network cards since they wont have routing protocols available. Your VMware Admin can give you console access through the vSphere or vCenter web client. Your VMware Admin may want to move some of the other VM’s residing on the host that your source and capture VM’s reside on as the capture VM may generate significant CPU utilization and potentially slow down the CPU for other VM’s.

If you using a Server OS as your capture vm client, you can access the vm via the secondary nic using RDP, TeamViewer or whatever system that you prefer to use.

Once you are finished with the configuration, click on the Finish button to active the port mirror configuration entered.

4) Other capture options

If your VMware farm includes the Cisco Nexus 1000V virtual switch or Phantom vTap from Ixia (formerly Netoptics), then you have other options to considering when doing a packet capture.

Send to Kindle
This entry was posted in VMware and tagged , . Bookmark the permalink.