MCPMag prints a Chris Wolf Q&A on how to monitor and capture data on virtual networks.
Q: I have a few questions about virtual network behavior in VMware. I’m trying to
perform some tests using data capture tools and came upon the vnetsniffer.exe
tool from VMware. Is this a useful tool for troubleshooting, or do you recommend
something else? Also, can you tell me if promiscuous mode captures are possible
over virtual networks? I can probably perform some of my own testing on this
but, to be honest, I’m too lazy.
A: Joseph, first I must say that I appreciate your honesty. For a minute I
thought that I’d say that I’m too lazy too and leave it up to my readers to fill
in the blanks, but I don’t think that my editor would appreciate that.
[Editor's Note: Good call, Chris!] So let me get on with the answer.
Let’s start with vnetsniffer.exe. On Windows VM hosts running either VMware
Workstation or VMware GSX server, you can find the vnetsniffer.exe tool in the
default installation folder, such as "C:\Program Files\VMware\VMware
Workstation." When run, this tool will provide you with very basic information
about network communications over a virtual network, such as source and
destination addresses and transport protocol (TCP or UDP). When run with the /e
switch, the source and destination MAC addresses are also displayed. The tool
does not display source or destination ports.
Here’s an example of running vnetsniffer to capture traffic on the virtual
host only network:
vnetsniffer vmnet1
For VMs bridged to the physical LAN interface on the host, you would specify
vmnet0 as the target network. Here’s a sample of what you can expect to see as
output from the tool:
IP src 192.168.0.100 dst 192.168.0.5 TCP
IP src
192.168.0.5 dst 192.168.0.100 TCP
IP src 192.168.0.100 dst
192.168.0.5 TCP
IP src 192.168.0.5 dst 192.168.0.100 TCP
As you can see, not much information is being displayed. However, the good
news is that your VMware virtual networks are interconnected with virtual hubs.
This means that you can run a capture tool in promiscuous mode and capture all
traffic on a virtual network. Also, with host only networking enabled, you can
use a tool such as Ethereal to capture
all virtual network data from the host system. I tried to capture all virtual
network data from the host for VMs connected to a bridged network and was not
successful. So for a true promiscuous mode capture from the host, you should
configure the VMs to connect to the host only network. If you are using bridged
networking, a work-around would be to just run Ethereal and get a capture from
within a VM. This approach can allow you to get a promiscuous mode capture on
both host only and bridged networks.
For detailed analysis of traffic on virtual networks, I recommend using a
tool such as Ethereal, since it will give you much more detail than you will see
in vnetsniffer.exe. With the promiscuous mode capture, you’ll be able to capture
all of the traffic on a complete virtual network (whereas without promiscuous
mode you’ll only capture traffic to or from the actual interface on which
Ethereal is bound).
For the Virtual Server 2005 users out there, you can also perform promiscuous
mode captures by running Ethereal on any VM attached to a virtual network. Like
with VMware bridged networks, you won’t have much luck running promiscuous mode
captures from the host.
So if all you want is basic traffic flow analysis, vnetsniffer.exe will
probably suffice. For advanced capturing and analysis, using a tool such as
Ethereal is definitely the way to go. Since virtual networks are interconnected
using virtual hubs, true promiscuous mode captures can be made by running a tool
such as Ethereal from within a VM. As I mentioned before, you can also perform
promiscuous mode captures from a VMware host over the virtual host only Ethernet
adapter.
Read the original article and comment to Chris,
here.