Virtualization Technology News and Information
Virtual Network Sniffing Summary
MCPMag prints a Chris Wolf Q&A on how to monitor and capture data on virtual networks.

Q: I have a few questions about virtual network behavior in VMware. I’m trying to perform some tests using data capture tools and came upon the vnetsniffer.exe tool from VMware. Is this a useful tool for troubleshooting, or do you recommend something else? Also, can you tell me if promiscuous mode captures are possible over virtual networks? I can probably perform some of my own testing on this but, to be honest, I’m too lazy.

A: Joseph, first I must say that I appreciate your honesty. For a minute I thought that I’d say that I’m too lazy too and leave it up to my readers to fill in the blanks, but I don’t think that my editor would appreciate that. [Editor's Note: Good call, Chris!] So let me get on with the answer.

Let’s start with vnetsniffer.exe. On Windows VM hosts running either VMware Workstation or VMware GSX server, you can find the vnetsniffer.exe tool in the default installation folder, such as "C:\Program Files\VMware\VMware Workstation." When run, this tool will provide you with very basic information about network communications over a virtual network, such as source and destination addresses and transport protocol (TCP or UDP). When run with the /e switch, the source and destination MAC addresses are also displayed. The tool does not display source or destination ports.

Here’s an example of running vnetsniffer to capture traffic on the virtual host only network:

vnetsniffer vmnet1

For VMs bridged to the physical LAN interface on the host, you would specify vmnet0 as the target network. Here’s a sample of what you can expect to see as output from the tool:

IP src   dst     TCP
IP src     dst   TCP
IP src   dst     TCP
IP src     dst   TCP

As you can see, not much information is being displayed. However, the good news is that your VMware virtual networks are interconnected with virtual hubs. This means that you can run a capture tool in promiscuous mode and capture all traffic on a virtual network. Also, with host only networking enabled, you can use a tool such as Ethereal to capture all virtual network data from the host system. I tried to capture all virtual network data from the host for VMs connected to a bridged network and was not successful. So for a true promiscuous mode capture from the host, you should configure the VMs to connect to the host only network. If you are using bridged networking, a work-around would be to just run Ethereal and get a capture from within a VM. This approach can allow you to get a promiscuous mode capture on both host only and bridged networks.

For detailed analysis of traffic on virtual networks, I recommend using a tool such as Ethereal, since it will give you much more detail than you will see in vnetsniffer.exe. With the promiscuous mode capture, you’ll be able to capture all of the traffic on a complete virtual network (whereas without promiscuous mode you’ll only capture traffic to or from the actual interface on which Ethereal is bound).

For the Virtual Server 2005 users out there, you can also perform promiscuous mode captures by running Ethereal on any VM attached to a virtual network. Like with VMware bridged networks, you won’t have much luck running promiscuous mode captures from the host.

So if all you want is basic traffic flow analysis, vnetsniffer.exe will probably suffice. For advanced capturing and analysis, using a tool such as Ethereal is definitely the way to go. Since virtual networks are interconnected using virtual hubs, true promiscuous mode captures can be made by running a tool such as Ethereal from within a VM. As I mentioned before, you can also perform promiscuous mode captures from a VMware host over the virtual host only Ethernet adapter.

Read the original article and comment to Chris, here.
Published Tuesday, March 28, 2006 10:39 PM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<March 2006>