I have a Virtual machine running LINUX (ubuntu 14.04). This machine (server) has a physical port running in promiscuous mode connected to a SPAN (mirror) port on core switch (it is monitoring), and a virtual port setup for management (has IP for connection and data pulling). Whenever I run wireshark, I am only seeing traffic that on the Linux server. I am not picking up any traffic on the SPAN port. Why not ? asked 19 Feb '16, 10:24 msmorten |
3 Answers:
I'm assuming by the "vmware" tag that you're running a VMware host. If it's ESXi you'll have to enable promiscuous mode on the vSwitch as described in KB 1004099. answered 19 Feb '16, 10:52 Gerald Combs ♦♦ |
Well, after working with "XRDP" and getting a graphical look at wireshark, I found that in this program, it was setup to promiscuous mode for the "ETH0" port. This was for some reason unnecessary based on the fact that the port was properly set to this mode out side of the program. After deselecting this and viewing the captures in a graphical interface, I am seeing more traffic than what destined to my interface. answered 19 Feb '16, 12:30 msmorten And after further research, this is still an issue. The Linux VMware server isn't seeing the promiscuous port so wireshark isn't seeing anything but traffic destined to the management port. (24 Feb '16, 17:59) msmorten 1 What does the And what does (25 Feb '16, 03:05) sindy |
COOL.I make these posts after a meeting and have become frustrated. Get back to my desk after thinking about it and find out that the problem is normally me. So after doing a "ifconfig" I only see "ETH0" and "lo". BUT if I do and "ifconfig -a" I see an unassigned port..."eth1"... There is my interface that needs to be configured that was setup and assigned to my VM environment as promiscuous by my Windows system admin. After setting up the interface in /etc/network/interfaces with the proper commands to get the interface setup as "promiscuous", I am able to use wireshark to get information from my SPAN port. I could have also run the commands. ifconfig eth1 up ifconfig eth1 promisc to temporarily get it up, but I wanted the interface to come back after a reboot or whatever. I also added the above commands to /etc/rc.local so that the interface will stay up... ( I think that's why those commands are there) lol. .. Any way, I was able to get the interface up and running once I located it. I just never knew it was there because it never showed up under a normal ifconfig THE COMMANDS BELOW ARE LIKE A TIME LINE OF HOW I WENT ABOUT SETTING UP THE INTERFACE. ifconfigeth0 Link encap:Ethernet HWaddr 00:0c:29:5c:81:e0 inet addr:172.16.4.89 Bcast:172.16.4.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe5c:81e0/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:33338134 errors:0 dropped:0 overruns:0 frame:0 TX packets:228793969 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2497495424 (2.4 GB) TX bytes:523594338379 (523.5 GB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:560399756 errors:0 dropped:0 overruns:0 frame:0 TX packets:560399756 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1479271113780 (1.4 TB) TX bytes:1479271113780 (1.4 TB) :/# ifconfig -a eth0 Link encap:Ethernet HWaddr 00:0c:29:5c:81:e0 inet addr:172.16.4.89 Bcast:172.16.4.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe5c:81e0/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:33738969 errors:0 dropped:0 overruns:0 frame:0 TX packets:228895529 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2573209836 (2.5 GB) TX bytes:523620839695 (523.6 GB) eth1 Link encap:Ethernet HWaddr 00:0c:29:5c:81:ea BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:560565049 errors:0 dropped:0 overruns:0 frame:0 TX packets:560565049 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1479443551265 (1.4 TB) TX bytes:1479443551265 (1.4 TB) ifconfig eth1 Link encap:Ethernet HWaddr 00:0c:29:5c:81:ea inet6 addr: fe80::20c:29ff:fe5c:81ea/64 Scope:Link UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:168274261 errors:0 dropped:16365 overruns:0 frame:0 TX packets:16 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:155986089864 (155.9 GB) TX bytes:1296 (1.2 KB) netstat -i Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg eth0 1500 0 3267113 0 0 0 19271185 0 0 0 BMRU eth1 1500 0 168474659 0 16365 0 16 0 0 0 BMPRU lo 65536 0 36303118 0 0 0 36303118 0 0 0 LRU answered 25 Feb '16, 11:32 msmorten |
This has been done, as far as I know. But I will have my Windows Server admin double check these settings for me. Thanks for the feedback.
Confirmed with my Server admin that all of these settings are absolutely correct. He is very thorough and showed my these settings are in fact correct, however, when using wireshark, my "host" ip is the IP of the server I have WS running on and not the traffic that is running across the SPAN. I am just so confused as to where what my issue here could be.
Host: 172.16.4.89 - IP OF THE LINUX BOX I'M on ( and all of my captures are this way) User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0 Accept: /