This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

[closed] Running wireshark from a VM, unit has a virtual port and physical port only seeing one port in wireshark

0

We are running Wireshark on a VM and this virtual machine, ESX, has two ports. One physical port and one virtual port. The virtual port is setup to be the management port (with an ip) and the physical port is setup in promiscuous mode and attached to a span port on my core switch. The VM is running Ubuntu 14.04 and the interfaces it sees are the management port (eth0) and Loopback. No reference of the promiscuous interface. When running wireshark, it only see traffic coming to the eth0 management interface, and it's not seeing the traffic that's coming across my SPAN port. Would this be an issue with my VM configuration? Or how wireshark is setup? The Ubuntu installation was pretty straight forward, would I have been able to add the promiscuous interface then? I just don't know why wireshark isn't able to pull traffic from my physical promiscuous interface on my span port?

asked 24 Feb '16, 16:21

msmorten's gravatar image

msmorten
4558
accept rate: 0%

closed 25 Feb '16, 11:58

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572

I'm confused about a VM having a virtual and a physical port (NIC). VMs usually have only virtual NICs which VMware's configuration allows you to connect to the server's physical NIC(s) (or not if you're using one or more VM-to-VM networks that don't need to exit the server).

Also, I didn't think VMware allowed you to enable promiscuous mode on a physical NIC. My understanding is that you enable promiscuous mode on a vSwitch (which probably also has some effect on the physical NIC?).

So: How many physical NICs do you have? How many virtual networks do you have? How many virtual NICs have you created on the VM? I'm guessing 1 since you said you only see 1 but some tools only show interfaces that are actually configured.

(25 Feb '16, 11:14) JeffMorriss ♦

The question has been closed for the following reason “Duplicate Question - https://ask.wireshark.org/questions/50349/running-wireshark-on-a-linux-vm-seeing-traffic-only-from-the-machine-wireshark-is-running-on" by JeffMorriss 25 Feb ‘16, 11:58