This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have a virtual machine with VPN - how can i split traffic in wireshark between my host and VM?

0

So i have a virtual machine and a VPN installed on it. Network is set to NAT. To see that everything works as intended and that my VM with my real IP isn't connecting anywhere but VPN, i want to check traffic with in host wireshark, but because there are 2 machines connecting with my IP(host and VM)source IP is the same. So i wanted to ask is it possible somehow that wireshark would show from where this connection originated? Host or VM?

asked 09 Jan '14, 06:49

numsta's gravatar image

numsta
11113
accept rate: 0%

edited 09 Jan '14, 06:50

One Answer:

0

So i wanted to ask is it possible somehow that wireshark would show from where this connection originated? Host or VM?

There is no reliable way to differentiate traffic of the host and the VM, if you are looking at traffic from the outside. There are however 'indicators' that might be good enough in some cases. Keep in mind, that the NAT implementation of the your Hypervisor might handle things differently (as described below). If that is the case, you can't use some (or all) of those 'indicators'.

  • TTL: The TTL of the packets should be different, -1 for the VM compared to the host. Maybe the TTL is a reliable way. It depends on the NAT implementation of the Hypervisor !?!
  • IP ID: the IP ID range will be different between the host and VM
  • Source port range: same as IP ID
  • TCP MSS and window size: If the host and the VM use different operating systems, these values might be different as well.

Regards
Kurt

answered 09 Jan '14, 09:04

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 09 Jan '14, 09:19