I'm experimenting with Bridging and Traffic control in Ubuntu and using a virtual box for this. I want to see what happens to the packets in Wireshark and found a behaviour which I'd like to understand In virtual box I have two Host Only adapaters with DHCP disabled - In my Host end of the adapters one of these (AdaptorA) has an IP address (192.168.11.1) the other (AdaptorB) is not bound to IPV4 Inside Ubuntu I bridge the two adapters This works fine and I can send a packet to 192.168.11.2 and wireshark monitoring AdapterB - sees the ARP requests. If I fake an arp entry then I see the packet as I'd expect. Fake ARP entry "arp -s 192.168.11.2 00-11-22-33-44-55 -N 192.168.11.1" However if I then (in Wireshark) select monitor BOTH AdapterA and AdapterB and then send one packet - Wireshark sees over 845000 packets before I killed it and it crashed - so it looks to me like a loop is formed. This is repeatable I have not seen this bridgeing type behaviou before on real adapters so I don't think this is normal. I don't currently have a host with multiple physical adaptors so I can't check. Other (network) software installed on the Host is Windows 7 , AirMagnet, Cisco AnyConnect and the Virtual PC (for the Windows XP VM) so I'm not expecting this to be a regular problem Inside Ubuntu both interfaces are "LinkLocal only" and I bridged them using the following commands I'm sending a Single UDP packet on port 24 (using a program called packet Sender by Dan Nagle)
Changing STP to ON did not change the unlimited number of packets I intend to use a Traffic control to simulate a delay (from https://www.excentis.com/blog/use-linux-traffic-control-impairment-node-test-environment-part-1 ) using commands such as So I want to see how long it takes for packets to traverse my Linux box before I swap to real cards so I'd like to work around this Thanks for reading and any hints or things to check This question is marked "community wiki". asked 29 Jan '17, 20:06  rjwilson01 edited 29 Jan '17, 20:12 |
One Answer:
WinPCAP driver problem causes Loops when interacting with VirtualBox drivers answered 31 Jan '17, 16:49 rjwilson01 |
Try not setting promiscuous mode while capturing and see if that makes a difference.
Thanks I've Tried disabling promiscuous mode in the host and it still generates a lot of traffic I tried installing wireshark inside the VM - If I monitor both ports inside the VM I don't get lots of traffic.
If I monitor both inside the VM and monitor both ports on the host - then the VM Wireshark does see a lot of packets , not as many but I believe that is just lack of processing power. So this is a real effect on the VirtualBox/Wireshark monitoring.
I also tried two Wiresharks running in the host, each monitoring one network card - this also caused the loop.
The loop also occurs for traffic initiated by the VM I tried disabling all the IPV4 (and IPV6) within the VM - this stopped traffic initiated within the VM however it still has a loop.
I also disabled the two interfaces (leaving the bridge interface enabled), this still bridged traffic (ie traffic came out the second interface) but also still caused the loop when monitoring both interfaces in the host.
I disabled promiscuous mode in the VM as well
I think I'll see if using the wireshark inside the VM is enough to confirm how the Traffic control operates.
There's also a new packet sniffer library for Windows in the works, which may make a difference as well.
Given the behaviour a new PCAP sounds appropriate - thanks for point that out I ;ve tried a few things NPCAP (leaving WinPcap present and in legacy mode ) and I think it probably is a driver problem. It does not loop the network with NPCAP installed in either PWinPcap emulation or not. But it also does not show the second packet. The second packet is still present inside the VM Wireshark capture
I'm still looking into it as I've got some hardware now and so will send this through a Cisco switch with a SPAN to try and see actual traffic. But I have to move on - I've confirmed that the Traffic control works
One thing on that shortcut you posted I can't get to https://npcap.org/ I must go to http://npcap.org/ which redirects me to https://nmap.org/npcap/ I'd guess its a browser setting