What I'm trying to do: Use vmnic1 in a Windows 2008 R2 in EXSi 5.0 as a dedicated wireshark port. I need to be able to set a port mirror on my Avaya ERS5650 and have vmnic1 capture this data. Physical Server = ESXi 5.0 Server with 2 Physical NICs. Physical Data Switch = Avaya ERS5650 ESXi vmnic0 = vSwitch0, standard network traffic for all VM's ESXi vmnic1 = vSwitch1 set to promiscuous mode, Avaya ERS port 1/10, Use as dedicated port for wireshark, configured as Port Mirror destination on Avaya ERS5650 mirrored port When I turn it on, I see very little traffic, I see only LLDP, NDP, no other traffic. What am I missing in the config of VMWare or Wireshark or is this scenario not possible? asked 16 Jul '12, 07:10  byris |
2 Answers:
Your setup is a little like on of those crazy machines, but right now I don't see why it shouldn't work. Correct me if I'm wrong:
It basically means that your mirror port is sending data to vSwitch1 which doesn't have a valid target and floods it anyway - and even if it wouldn't, it would because it is in promiscuous mode. So yes, you should see traffic from the mirror port. Maybe - and I would have to verify this - the vSwitch is "intelligent" enough to know that the destinations MACs are invalid since the ESXi has an inventory of existing virtual MACs and discards the frames that do not match any of them. answered 16 Jul '12, 08:44  Jasper ♦♦ edited 16 Jul '12, 08:48 That's Exactly what I'm trying to do, but I'm just not seeing the intended traffic, basically no ICMP, TCP, UDP etc. but I do see LLDP & NDP I've already tested the mirroring functionality on a standalone PC plugged into Avaya Switch Port 1/10 and I see the expected results. But when 1/10 is plugged into a vmnic1 I do not see the intended traffic. Once again I already have vSwitch1 & the VMXNet3 Adapter set to promiscuous mode. I wonder if I should set it to adapter type E1000 or VMXNet2 to see if that would make a difference. (16 Jul '12, 09:42) byris I converted your answer to a comment to keep the flow going. You can try to use E1000 or VMXNet2 but I doubt it will help. I guess the VMkernel is dropping the frames as undeliverable since it knows it doesn't have the destination MACs anywhere. Unfortunately I cannot verify this behaviour at the moment since I can't access a test environment right now. (16 Jul '12, 09:48) Jasper ♦♦ Should I make the MAC address of the vmnic1 = physical eth1? (16 Jul '12, 10:12) byris The mirrored frames will have neither the destination MAC of the physical eth1 nor of a virtual nic, so I don't think it will help. But as always, you can still try... (16 Jul '12, 10:55) Jasper ♦♦ |
Found the solution it is in windows 2008 r2 driver - go to the interface > Advanced > Priority & Vlan > Disable Priority & Vlan. Then try your capture again. If that don't work make sure your vswitch you are using security is set to allow promiscuous mode Thanks to these sites for their help :) Windows Settings (at bottom of article) http://community.spiceworks.com/topic/128883-vsphere-promiscuous-mode-only-receiving-packets-one-way-from-network-switch answered 18 Jul '12, 17:56  chad_spack |
I am having the same problem with the same setup, except diffrent network equipment (i am using Extreme Switches) is there any resolution for this yet?