VMware vSphere

 View Only

  • 1.  Feeding network tap (port mirror) into a vSwitch?

    Posted Aug 07, 2011 09:48 PM

    Hello, all.

    I am trying to feed a network tap into a vSwitch so that I can use VM instances to run snort, ntop on the network traffic.

    Internet ----- FW ----- Physical Switch -------VMWare ESXi pNIC ------VMWare vSwitch ------ VMWare vNIC ----VM instance (Linux box)

    My set up:

    1. Feed a mirror port tap from a physical switch into a physical NIC on a VMWare ESXi

    2. Create a vSwitch with that mirror port tap on it & set the vSwitch to allow promiscuous mode

    3. Create a VM instance (Linux server) with 2 vNICs (1 vNIC plugged into the vSwitch, 1 vNIC is for managing the Linux server)

    4. Install Snort, NTOP, etc... on the Linux server and have them listen on the vNIC that is plugged into the vSwitch)

    Why am I doing this? I don't want to set up physical server just to tap the traffic.

    If you have better idea to accomplish the objective, please give me a shout.

    Thanks.



  • 2.  RE: Feeding network tap (port mirror) into a vSwitch?

    Posted Aug 07, 2011 09:59 PM

    Tcpdump does not see anything on the ethX on the Linux (attached to the vSwitch that is in promiscuous mode)?

    Marcelo Soares



  • 3.  RE: Feeding network tap (port mirror) into a vSwitch?

    Posted Aug 08, 2011 12:47 AM

    Hi, Marcelo.

    No. Nothing sees any traffic on that vSwitch. Nada. Snort, tcpdump, or ntop do not see anything.

    The port mirror was working with a physical server though. So this port mirror was feeding traffic.

    In this setup, there is no traffic coming into the vSwitch. I wonder if it's doable.

    I found this note.

    http://community.xangati.com/topic.php?id=30

    I will have to take a closer look at my settings on the vSwitch. But I want to know if others have done this successfully.

    Thanks.

    Bee



  • 4.  RE: Feeding network tap (port mirror) into a vSwitch?

    Posted Aug 08, 2011 03:04 AM

    I already did, in fact, have some appliances running with packet sniffers. You can try:

    - Change the vnic of the vm to e1000 driver (can't imagine why an vmxnet should cause this, but let's try anything :smileyhappy:)

    - Check if the VM can capture packets from other VMs on the same vswitch;

    - If you can, enter using ssh or physically to the ESX console, I think there is a tcpdump-uw binary there to test directly from the ESX (you should have a vmkernel port attached to this vSwitch)

    Good luck,

    Marcelo Soares



  • 5.  RE: Feeding network tap (port mirror) into a vSwitch?

    Posted Mar 14, 2012 02:43 PM

    Sorry to dig up an old post, did you get this work?

    I'm looking to do something similar.