This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

VMWare ESXi 5.0 and Wireshark

0

What I'm trying to do: Use vmnic1 in a Windows 2008 R2 in EXSi 5.0 as a dedicated wireshark port. I need to be able to set a port mirror on my Avaya ERS5650 and have vmnic1 capture this data.

Physical Server = ESXi 5.0 Server with 2 Physical NICs.

Physical Data Switch = Avaya ERS5650

ESXi vmnic0 = vSwitch0, standard network traffic for all VM's

ESXi vmnic1 = vSwitch1 set to promiscuous mode, Avaya ERS port 1/10, Use as dedicated port for wireshark, configured as Port Mirror destination on Avaya ERS5650 mirrored port

When I turn it on, I see very little traffic, I see only LLDP, NDP, no other traffic. What am I missing in the config of VMWare or Wireshark or is this scenario not possible?

asked 16 Jul '12, 07:10

byris's gravatar image

byris
1111
accept rate: 0%

I am having the same problem with the same setup, except diffrent network equipment (i am using Extreme Switches) is there any resolution for this yet?

(18 Jul '12, 14:59) chad_spack

2 Answers:

0

Your setup is a little like on of those crazy machines, but right now I don't see why it shouldn't work. Correct me if I'm wrong:

  1. You have a Avaya switch that mirrors data to port 1/10.
  2. connected to that port is vmnic1 of the ESXi
  3. vmnic1 is connected to vSwitch1, with the whole vSwitch set to promiscuous mode
  4. on the virtual side the Windows 2k8r2 machine is running, with Wireshark capturing data

It basically means that your mirror port is sending data to vSwitch1 which doesn't have a valid target and floods it anyway - and even if it wouldn't, it would because it is in promiscuous mode. So yes, you should see traffic from the mirror port.

Maybe - and I would have to verify this - the vSwitch is "intelligent" enough to know that the destinations MACs are invalid since the ESXi has an inventory of existing virtual MACs and discards the frames that do not match any of them.

answered 16 Jul '12, 08:44

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 16 Jul '12, 08:48

That's Exactly what I'm trying to do, but I'm just not seeing the intended traffic, basically no ICMP, TCP, UDP etc. but I do see LLDP & NDP

I've already tested the mirroring functionality on a standalone PC plugged into Avaya Switch Port 1/10 and I see the expected results. But when 1/10 is plugged into a vmnic1 I do not see the intended traffic.

Once again I already have vSwitch1 & the VMXNet3 Adapter set to promiscuous mode.

I wonder if I should set it to adapter type E1000 or VMXNet2 to see if that would make a difference.

(16 Jul '12, 09:42) byris

I converted your answer to a comment to keep the flow going.

You can try to use E1000 or VMXNet2 but I doubt it will help. I guess the VMkernel is dropping the frames as undeliverable since it knows it doesn't have the destination MACs anywhere. Unfortunately I cannot verify this behaviour at the moment since I can't access a test environment right now.

(16 Jul '12, 09:48) Jasper ♦♦

Should I make the MAC address of the vmnic1 = physical eth1?

(16 Jul '12, 10:12) byris

The mirrored frames will have neither the destination MAC of the physical eth1 nor of a virtual nic, so I don't think it will help. But as always, you can still try...

(16 Jul '12, 10:55) Jasper ♦♦

0

Found the solution it is in windows 2008 r2 driver - go to the interface > Advanced > Priority & Vlan > Disable Priority & Vlan. Then try your capture again. If that don't work make sure your vswitch you are using security is set to allow promiscuous mode

Thanks to these sites for their help :)

Vmware KB http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1002934

Windows Settings (at bottom of article) http://community.spiceworks.com/topic/128883-vsphere-promiscuous-mode-only-receiving-packets-one-way-from-network-switch

answered 18 Jul '12, 17:56

chad_spack's gravatar image

chad_spack
1
accept rate: 0%