This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

running wireshark on a server

0

configuration is an intel mac with an airport card and several usb nics. The airport card is for connectivity to the internet. the usb nics provide connectivity to the local lan. internet sharing is used on the mac to distribute internet access and the mac is also a file repository. Internet sharing on the mac results in a dhcp serving addresses in a different class c for each nic-so one nic for example will get 192.168.2.x, the next nic gets 192.168.3.x, etc. This allows each nic to service a whole lan segment. Wireshark installed on the mac sees all interfaces and allows monitoring of traffic. I do not want to run wireshark natively on the mac. It's a production machine and messing around with the bare metal is discouraged. A virtual appliance is perceived as safer (even though it may not be, i cannot convince the responsible higher ups) So, vmware fusion is set up on the mac to run an instance of windows xp sp3. wireshark is installed on windows.in this configuration, wireshark only sees the airport but not the usb nics. The network adapters are set up in bridged mode on vmware. Is there a tutorial that clarifies setup for the nics in fusion and the proper ip addresses they should have in windows? Should they be bridged there as well? If i use the same ip as that used on the mac, obviously i get an ip address conflict.

asked 16 Jul '11, 23:02

bwana's gravatar image

bwana
1111
accept rate: 0%


One Answer:

0

I don't think this will work for you. All vNics in your WinXP system with be connected to the virtual switch in VMware Fusion. So only traffic that is destined for your XP machine (and broad/multicasts) will be visible on the XP machine.

The functionality of the virtual switch is very limited and it does not have the possibility to configure a mirroring port (as you would have done when there was a real switch in place).

I just tested this on my own MacBookPro with fusion. The behavior is actually a little different than expected from the above clarification. If I ping from my MacOS host to the Internet, I only see the outgoing packets on my Win7 guest. The incoming echo reply packets are not forwarded to my Win7 machine (which has the Airport adapter bridged to a vNic).

So all-in-all, if you need to analyze all traffic on a particular interface on the Mac, you will have to capture the traffic on the Mac and not in a VM. At least with the current version of Fusion, things might change in the future.

answered 17 Jul '11, 01:32

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

thank you. yes, i was hoping for the virtual machine to be a 'network tap'. i guess another way to get the traffic to go through the xp instance would be to have a dhcp server running in xp (on the vm). This dhcp server would service the nics. i tried tftpd but that is a little too rudimentary- it does not see the virtual interfaces. i'll keep looking.

(17 Jul '11, 06:55) bwana