This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Live Traffic Capture of two VMs running in VirtualBox

1
1

I want to create following lab setup using VirtualBox and Wireshark:

  1. Two VMs to communicate with each other.
  2. Wireshark to be installed in the Host. And able to capture live traffic of above two communicating VMs.
  3. Ubuntu as a host and 2 Guests (Windows XP and Tiny Core Linux)

Any suggestion or possible work around?

asked 25 Apr '15, 15:34

Mushtaq%20Hussain's gravatar image

Mushtaq Hussain
21124
accept rate: 0%


2 Answers:

0

For the VMs use Network: Host-only Adapter

On the Host PC open Wireshark and start the capture on Virtualbox Host-Only Network.

*Tested on Win 7 with Virtualbox 4.3.26 and Wireshark 1.12.4

answered 01 May '15, 04:11

Roland's gravatar image

Roland
7642415
accept rate: 13%

1

I had tried same setup previously; however again repeated after seeing your answer. But I am unable to capture the traffic between two VMs running in VirtualBox. I am able to capture broadcast packets from the two VMs, however no unicast packets (like ICMP packets) between the two VMs are being captured by the Wireshark on vboxnet0 interface.

My Environment is: Host is Ubuntu 14.04 LTS, Wireshark Version 1.10.6, VirtualBox Version 4.3.10_Ubuntu r93012. Both VMs are in Host-Only mode attached to vboxnet0 adapter. And I am capturing on vboxnet0 interface on Wireshark.

(01 May '15, 13:25) Mushtaq Hussain

It also works on Linux, but I only tested with Virtualbox 4.3.26.

(01 May '15, 15:32) Roland

Upgraded to Virtualbox 4.3.26 r98988. It does seems a more refined and light on resources. However, my original problem remains exactly the same. I have also set the Promiscuous mode policy for vboxnet0 interface in both VMs to 'Allow All', still Wireshark only captures the broadcast packets not the unicast ping between the two VMs. Wireshark is also set to capture in promiscuous mode.

(02 May '15, 15:39) Mushtaq Hussain

Can you share any specific interface settings for VMs or Virtualbox global configurations?

(02 May '15, 15:41) Mushtaq Hussain

I used the default settings, promiscuous mode was set to Deny. Do you have the firewall enabled on the host?

(03 May '15, 05:08) Roland

I have also checked with firewalls disabled, but same result. Also firewall does not seem to be a problem here, as I am able to capture all traffic through same interface when one VM is in Virtualbox and other one in the VMware player. However, it seems when both VMs are in virtualbox they have some kind of direct link and unicast traffic does not reach at vboxnet0. As broadcast traffic from both VMs is being captured.

(03 May '15, 08:41) Mushtaq Hussain

I have also checked with firewalls disabled, but same result. Also firewall does not seem to be a problem here, as I am able to capture all traffic through same interface when one VM is in Virtualbox and other one in the VMware player. However, it seems when both VMs are in virtualbox they have some kind of direct link and unicast traffic does not reach at vboxnet0. As broadcast traffic from both VMs is being captured.

(03 May '15, 09:21) Mushtaq Hussain

Can you try it on another host?

(06 May '15, 01:42) Roland
showing 5 of 8 show 3 more comments

0

Virtualbox includes a feature to capture traffic generated by the virtual machines.

https://www.virtualbox.org/wiki/Network_tips

This looks like the most reliable way to capture traffic between two VMs, besides capturing the traffic directly in the VMs.

Regards
Kurt

answered 03 May '15, 14:06

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thank you for pointing to this feature. However, I need to monitor the live capturing of traffic in Wireshark, whereas in this feature case you can not analyse the traffic in real time.

(03 May '15, 14:22) Mushtaq Hussain
1

well, then your option is to capture inside one of the VMs (or even both).

(03 May '15, 14:48) Kurt Knochner ♦
1

Definitely one way is to capture inside the VM. But is it not possible to do a capture in host? As may be there comes a situation where one is looking to capture live traffic of a network formed from more than two VMs at a time. Any thoughts.

(03 May '15, 15:19) Mushtaq Hussain

Any thoughts.

Ask the Virtualbox community. They should know their product better than we do ;-))

(03 May '15, 16:41) Kurt Knochner ♦