Vista - Hyper-V Network Packet Captures

08-13-2009

Hello group,

I am building a security practice lab machine. The host OS is Windows
Server 2008 R2 with Hyper-V. The guests will be Windows 2008, Windows
7, Vista and XP. I would like to setup one guest vm to sniff (capture
network packets) the virtual network. How do I configure the virtual
network to mirror all packets to a specific virtual network adapter?

Thanks in advance,

J Wolfgang Goerlich

08-13-2009

"J Wolfgang Goerlich" <jwgoerlich@newsgroup> wrote in message
news:8bd72ee2-d0cd-4acb-886d-7f47a0a18d94@newsgroup

Quote:

> Hello group,
>
> I am building a security practice lab machine. The host OS is Windows
> Server 2008 R2 with Hyper-V. The guests will be Windows 2008, Windows
> 7, Vista and XP. I would like to setup one guest vm to sniff (capture
> network packets) the virtual network. How do I configure the virtual
> network to mirror all packets to a specific virtual network adapter?
>
> Thanks in advance,
>
> J Wolfgang Goerlich

Unfortunately you cannot do that. There is no way to put the virtual
network adapter into promiscuous mode so that it can see traffic addressed
to other NICs on the virtual switch.

08-13-2009

Ok. How about converting the virtual switch into a virtual hub, to
echo out all the traffic to all attached ports? Is that possible?

On Aug 13, 8:33*pm, "Bill Grant" <not.available@newsgroup> wrote:

Quote:

> * *Unfortunately you cannot do that. There is no way to put the virtual
> network adapter into promiscuous mode so that it can see traffic addressed
> to other NICs on the virtual switch.

08-14-2009

You would still need to switch the NICs to promiscuous mode, even on a
hub. And the virtual switch is a switch, not a virtual hub.

"J Wolfgang Goerlich" <jwgoerlich@newsgroup> wrote in message
news:8ca727b1-9501-4927-8cec-50c21590bcc4@newsgroup

Quote:

> Ok. How about converting the virtual switch into a virtual hub, to
> echo out all the traffic to all attached ports? Is that possible?
>
> On Aug 13, 8:33 pm, "Bill Grant" <not.available@newsgroup> wrote:

Quote:

>> Unfortunately you cannot do that. There is no way to put the virtual
>> network adapter into promiscuous mode so that it can see traffic
>> addressed
>> to other NICs on the virtual switch.

>

08-14-2009

Good point. Alright, any other option you can think of? Surely there
is a way to capture network traffic between vms in Hyper-V.

On Aug 14, 2:31*am, "Bill Grant" <not.available@newsgroup> wrote:

Quote:

> You would still need to switch the NICs to promiscuous mode, even on
> a hub. And the virtual switch is a switch, not a virtual hub.

08-14-2009

None that I know of.

"J Wolfgang Goerlich" <jwgoerlich@newsgroup> wrote in message
news:1d102c64-5f65-4fa7-b091-453887c90f3f@newsgroup

Quote:

> Good point. Alright, any other option you can think of? Surely there
> is a way to capture network traffic between vms in Hyper-V.
>
> On Aug 14, 2:31 am, "Bill Grant" <not.available@newsgroup> wrote:

Quote:

>> You would still need to switch the NICs to promiscuous mode, even on
>> a hub. And the virtual switch is a switch, not a virtual hub.

08-15-2009

"Bill Grant" <not.available@newsgroup> wrote:

Quote:

> None that I know of.

Alright. Please let me know if you think of anything.

I will keep at it. I have installed a Win2003 32-bit guest with a
standard network adapter (Microsoft virtual machine bus network
adapter). Installed Wireshark 1.2.1 with WinPcap. Configured WinPcap
to run as a service. Plugged the network adapter into a external
virtual network. The guest is able to sniff all broadcast traffic and
all traffic directed to it.

J Wolfgang Goerlich

08-15-2009

>Anyone have any issues with this suggestion?

Maybe I'm missing something, but there's no path from the sniffer to
the other VM's, so no incoming traffic will get to the other VM's, you
need the sniffer to be assigned to all the subnets. And RRAS has to
know all the subnets for any routing to happen for that matter. (you
can assign multiple IP/subnets to the same NIC...)

--
Bob Comer

On Sat, 15 Aug 2009 14:57:46 -0500, "Paul Yhonquea" <none@newsgroup>
wrote:

Quote:

>Been trying to post to this thread all morning... here goes...
>
>Hello,
>
>
>Here is a (wild) shot in the dark. Have the sniffer VM set up as a router
>that all traffic has to pass through (like a default gateway). Address all
>of your VMs like the attached diagram. Have your sniffer machine setup with
>RRAS. Since it will be configured as the default gateway for all other VMs,
>all traffice will have to pass through it. Have the sniffer program examine
>all traffic coming to its 192.168.1.1 interface.
>
>Please examine the diagram I have attached.
>
>Anyone have any issues with this suggestion?
>
>
>
>Paul
>

08-15-2009

Hi, Robert,

Have all of the VMs configured to where they use the same virtual network.
All traffic on the network depicted in the diagram has to go through
192.168.1.1 (sniffer/gateway IP) in order for it to get from point A (any
one of the VMs behind the gatway) to point B (any of the other VMs behind
the gateway). All of the VMs are configured on different nets (192.168.2.0,
192.168.3.0, 192.168.4.0, and 192.168.5.0), but all have a 16 bit mask
(255.255.0.0). So the gateway will have to see every packet that hits the
wire.

And if I remember correctly, WireShark is bound to a physical adapter, not
an IP address or subnet. So if the sniffer has one network adapter, all
traffic that goes through it will be detected by WireShark.

Am I making sense in my assumptions? Please let me know.

Paul Yhonquea

"Robert Comer" <bobcomer-removeme-@newsgroup> wrote in message
news:h45e859re2dfnfrr4tm46b9uputcmp9v6i@newsgroup

Quote:

> >Anyone have any issues with this suggestion?

>
> Maybe I'm missing something, but there's no path from the sniffer to
> the other VM's, so no incoming traffic will get to the other VM's, you
> need the sniffer to be assigned to all the subnets. And RRAS has to
> know all the subnets for any routing to happen for that matter. (you
> can assign multiple IP/subnets to the same NIC...)
>
> --
> Bob Comer
>
>
> On Sat, 15 Aug 2009 14:57:46 -0500, "Paul Yhonquea" <none@newsgroup>
> wrote:
>

Quote:

>>Been trying to post to this thread all morning... here goes...
>>
>>Hello,
>>
>>
>>Here is a (wild) shot in the dark. Have the sniffer VM set up as a router
>>that all traffic has to pass through (like a default gateway). Address
>>all
>>of your VMs like the attached diagram. Have your sniffer machine setup
>>with
>>RRAS. Since it will be configured as the default gateway for all other
>>VMs,
>>all traffice will have to pass through it. Have the sniffer program
>>examine
>>all traffic coming to its 192.168.1.1 interface.
>>
>>Please examine the diagram I have attached.
>>
>>Anyone have any issues with this suggestion?
>>
>>
>>
>>Paul
>>

08-15-2009

>So the gateway will have to see every packet that hits the

Quote:

>wire.

I thought I was missing something -- the subnet mask of 255.255.0.0,
that explains that, it would probably work as wireshark can handle
that I think. I'm not sure I see any advantage to using the
192.168.x.x subnets though, a single 192.168.1.x would archive the
same results.

--
Bob Comer

On Sat, 15 Aug 2009 15:20:52 -0500, "Paul Yhonquea" <none@newsgroup>
wrote:

Quote:

>Hi, Robert,
>
>Have all of the VMs configured to where they use the same virtual network.
>All traffic on the network depicted in the diagram has to go through
>192.168.1.1 (sniffer/gateway IP) in order for it to get from point A (any
>one of the VMs behind the gatway) to point B (any of the other VMs behind
>the gateway). All of the VMs are configured on different nets (192.168.2.0,
>192.168.3.0, 192.168.4.0, and 192.168.5.0), but all have a 16 bit mask
>(255.255.0.0). So the gateway will have to see every packet that hits the
>wire.
>
>And if I remember correctly, WireShark is bound to a physical adapter, not
>an IP address or subnet. So if the sniffer has one network adapter, all
>traffic that goes through it will be detected by WireShark.
>
>
>Am I making sense in my assumptions? Please let me know.
>
>
>
>Paul Yhonquea
>
>
>
>
>"Robert Comer" <bobcomer-removeme-@newsgroup> wrote in message
>news:h45e859re2dfnfrr4tm46b9uputcmp9v6i@newsgroup

Quote:

>> >Anyone have any issues with this suggestion?

>>
>> Maybe I'm missing something, but there's no path from the sniffer to
>> the other VM's, so no incoming traffic will get to the other VM's, you
>> need the sniffer to be assigned to all the subnets. And RRAS has to
>> know all the subnets for any routing to happen for that matter. (you
>> can assign multiple IP/subnets to the same NIC...)
>>
>> --
>> Bob Comer
>>
>>
>> On Sat, 15 Aug 2009 14:57:46 -0500, "Paul Yhonquea" <none@newsgroup>
>> wrote:
>>

Quote:

>>>Been trying to post to this thread all morning... here goes...
>>>
>>>Hello,
>>>
>>>
>>>Here is a (wild) shot in the dark. Have the sniffer VM set up as a router
>>>that all traffic has to pass through (like a default gateway). Address
>>>all
>>>of your VMs like the attached diagram. Have your sniffer machine setup
>>>with
>>>RRAS. Since it will be configured as the default gateway for all other
>>>VMs,
>>>all traffice will have to pass through it. Have the sniffer program
>>>examine
>>>all traffic coming to its 192.168.1.1 interface.
>>>
>>>Please examine the diagram I have attached.
>>>
>>>Anyone have any issues with this suggestion?
>>>
>>>
>>>
>>>Paul
>>>

>

08-13-2009	#1 (permalink)
J Wolfgang Goerlich n/a posts	Hyper-V Network Packet Captures Hello group, I am building a security practice lab machine. The host OS is Windows Server 2008 R2 with Hyper-V. The guests will be Windows 2008, Windows 7, Vista and XP. I would like to setup one guest vm to sniff (capture network packets) the virtual network. How do I configure the virtual network to mirror all packets to a specific virtual network adapter? Thanks in advance, J Wolfgang Goerlich
My System Specs

08-13-2009	#2 (permalink)
Bill Grant n/a posts	Re: Hyper-V Network Packet Captures "J Wolfgang Goerlich" <jwgoerlich@newsgroup> wrote in message news:8bd72ee2-d0cd-4acb-886d-7f47a0a18d94@newsgroup Quote: > Hello group, > > I am building a security practice lab machine. The host OS is Windows > Server 2008 R2 with Hyper-V. The guests will be Windows 2008, Windows > 7, Vista and XP. I would like to setup one guest vm to sniff (capture > network packets) the virtual network. How do I configure the virtual > network to mirror all packets to a specific virtual network adapter? > > Thanks in advance, > > J Wolfgang Goerlich Unfortunately you cannot do that. There is no way to put the virtual network adapter into promiscuous mode so that it can see traffic addressed to other NICs on the virtual switch.
My System Specs

08-13-2009	#3 (permalink)
J Wolfgang Goerlich n/a posts	Re: Hyper-V Network Packet Captures Ok. How about converting the virtual switch into a virtual hub, to echo out all the traffic to all attached ports? Is that possible? On Aug 13, 8:33pm, "Bill Grant" <not.available@newsgroup> wrote: Quote: > *Unfortunately you cannot do that. There is no way to put the virtual > network adapter into promiscuous mode so that it can see traffic addressed > to other NICs on the virtual switch.
My System Specs

08-14-2009	#4 (permalink)
Bill Grant n/a posts	Re: Hyper-V Network Packet Captures You would still need to switch the NICs to promiscuous mode, even on a hub. And the virtual switch is a switch, not a virtual hub. "J Wolfgang Goerlich" <jwgoerlich@newsgroup> wrote in message news:8ca727b1-9501-4927-8cec-50c21590bcc4@newsgroup Quote: > Ok. How about converting the virtual switch into a virtual hub, to > echo out all the traffic to all attached ports? Is that possible? > > On Aug 13, 8:33 pm, "Bill Grant" <not.available@newsgroup> wrote: Quote: >> Unfortunately you cannot do that. There is no way to put the virtual >> network adapter into promiscuous mode so that it can see traffic >> addressed >> to other NICs on the virtual switch. >
My System Specs

08-14-2009	#5 (permalink)
J Wolfgang Goerlich n/a posts	Re: Hyper-V Network Packet Captures Good point. Alright, any other option you can think of? Surely there is a way to capture network traffic between vms in Hyper-V. On Aug 14, 2:31*am, "Bill Grant" <not.available@newsgroup> wrote: Quote: > You would still need to switch the NICs to promiscuous mode, even on > a hub. And the virtual switch is a switch, not a virtual hub.
My System Specs

08-14-2009	#6 (permalink)
Bill Grant n/a posts	Re: Hyper-V Network Packet Captures None that I know of. "J Wolfgang Goerlich" <jwgoerlich@newsgroup> wrote in message news:1d102c64-5f65-4fa7-b091-453887c90f3f@newsgroup Quote: > Good point. Alright, any other option you can think of? Surely there > is a way to capture network traffic between vms in Hyper-V. > > On Aug 14, 2:31 am, "Bill Grant" <not.available@newsgroup> wrote: Quote: >> You would still need to switch the NICs to promiscuous mode, even on >> a hub. And the virtual switch is a switch, not a virtual hub.
My System Specs

08-15-2009	#7 (permalink)
J Wolfgang Goerlich n/a posts	Re: Hyper-V Network Packet Captures "Bill Grant" <not.available@newsgroup> wrote: Quote: > None that I know of. Alright. Please let me know if you think of anything. I will keep at it. I have installed a Win2003 32-bit guest with a standard network adapter (Microsoft virtual machine bus network adapter). Installed Wireshark 1.2.1 with WinPcap. Configured WinPcap to run as a service. Plugged the network adapter into a external virtual network. The guest is able to sniff all broadcast traffic and all traffic directed to it. J Wolfgang Goerlich
My System Specs

08-15-2009	#8 (permalink)
Robert Comer n/a posts	Re: Hyper-V Network Packet Captures >Anyone have any issues with this suggestion? Maybe I'm missing something, but there's no path from the sniffer to the other VM's, so no incoming traffic will get to the other VM's, you need the sniffer to be assigned to all the subnets. And RRAS has to know all the subnets for any routing to happen for that matter. (you can assign multiple IP/subnets to the same NIC...) -- Bob Comer On Sat, 15 Aug 2009 14:57:46 -0500, "Paul Yhonquea" <none@newsgroup> wrote: Quote: >Been trying to post to this thread all morning... here goes... > >Hello, > > >Here is a (wild) shot in the dark. Have the sniffer VM set up as a router >that all traffic has to pass through (like a default gateway). Address all >of your VMs like the attached diagram. Have your sniffer machine setup with >RRAS. Since it will be configured as the default gateway for all other VMs, >all traffice will have to pass through it. Have the sniffer program examine >all traffic coming to its 192.168.1.1 interface. > >Please examine the diagram I have attached. > >Anyone have any issues with this suggestion? > > > >Paul >
My System Specs

08-15-2009	#9 (permalink)
Paul Yhonquea n/a posts	Re: Hyper-V Network Packet Captures Hi, Robert, Have all of the VMs configured to where they use the same virtual network. All traffic on the network depicted in the diagram has to go through 192.168.1.1 (sniffer/gateway IP) in order for it to get from point A (any one of the VMs behind the gatway) to point B (any of the other VMs behind the gateway). All of the VMs are configured on different nets (192.168.2.0, 192.168.3.0, 192.168.4.0, and 192.168.5.0), but all have a 16 bit mask (255.255.0.0). So the gateway will have to see every packet that hits the wire. And if I remember correctly, WireShark is bound to a physical adapter, not an IP address or subnet. So if the sniffer has one network adapter, all traffic that goes through it will be detected by WireShark. Am I making sense in my assumptions? Please let me know. Paul Yhonquea "Robert Comer" <bobcomer-removeme-@newsgroup> wrote in message news:h45e859re2dfnfrr4tm46b9uputcmp9v6i@newsgroup Quote: Quote: > >Anyone have any issues with this suggestion? > > Maybe I'm missing something, but there's no path from the sniffer to > the other VM's, so no incoming traffic will get to the other VM's, you > need the sniffer to be assigned to all the subnets. And RRAS has to > know all the subnets for any routing to happen for that matter. (you > can assign multiple IP/subnets to the same NIC...) > > -- > Bob Comer > > > On Sat, 15 Aug 2009 14:57:46 -0500, "Paul Yhonquea" <none@newsgroup> > wrote: > Quote: >>Been trying to post to this thread all morning... here goes... >> >>Hello, >> >> >>Here is a (wild) shot in the dark. Have the sniffer VM set up as a router >>that all traffic has to pass through (like a default gateway). Address >>all >>of your VMs like the attached diagram. Have your sniffer machine setup >>with >>RRAS. Since it will be configured as the default gateway for all other >>VMs, >>all traffice will have to pass through it. Have the sniffer program >>examine >>all traffic coming to its 192.168.1.1 interface. >> >>Please examine the diagram I have attached. >> >>Anyone have any issues with this suggestion? >> >> >> >>Paul >>
My System Specs

08-15-2009	#10 (permalink)
Robert Comer n/a posts	Re: Hyper-V Network Packet Captures >So the gateway will have to see every packet that hits the Quote: >wire. I thought I was missing something -- the subnet mask of 255.255.0.0, that explains that, it would probably work as wireshark can handle that I think. I'm not sure I see any advantage to using the 192.168.x.x subnets though, a single 192.168.1.x would archive the same results. -- Bob Comer On Sat, 15 Aug 2009 15:20:52 -0500, "Paul Yhonquea" <none@newsgroup> wrote: Quote: >Hi, Robert, > >Have all of the VMs configured to where they use the same virtual network. >All traffic on the network depicted in the diagram has to go through >192.168.1.1 (sniffer/gateway IP) in order for it to get from point A (any >one of the VMs behind the gatway) to point B (any of the other VMs behind >the gateway). All of the VMs are configured on different nets (192.168.2.0, >192.168.3.0, 192.168.4.0, and 192.168.5.0), but all have a 16 bit mask >(255.255.0.0). So the gateway will have to see every packet that hits the >wire. > >And if I remember correctly, WireShark is bound to a physical adapter, not >an IP address or subnet. So if the sniffer has one network adapter, all >traffic that goes through it will be detected by WireShark. > > >Am I making sense in my assumptions? Please let me know. > > > >Paul Yhonquea > > > > >"Robert Comer" <bobcomer-removeme-@newsgroup> wrote in message >news:h45e859re2dfnfrr4tm46b9uputcmp9v6i@newsgroup Quote: Quote: >> >Anyone have any issues with this suggestion? >> >> Maybe I'm missing something, but there's no path from the sniffer to >> the other VM's, so no incoming traffic will get to the other VM's, you >> need the sniffer to be assigned to all the subnets. And RRAS has to >> know all the subnets for any routing to happen for that matter. (you >> can assign multiple IP/subnets to the same NIC...) >> >> -- >> Bob Comer >> >> >> On Sat, 15 Aug 2009 14:57:46 -0500, "Paul Yhonquea" <none@newsgroup> >> wrote: >> Quote: >>>Been trying to post to this thread all morning... here goes... >>> >>>Hello, >>> >>> >>>Here is a (wild) shot in the dark. Have the sniffer VM set up as a router >>>that all traffic has to pass through (like a default gateway). Address >>>all >>>of your VMs like the attached diagram. Have your sniffer machine setup >>>with >>>RRAS. Since it will be configured as the default gateway for all other >>>VMs, >>>all traffice will have to pass through it. Have the sniffer program >>>examine >>>all traffic coming to its 192.168.1.1 interface. >>> >>>Please examine the diagram I have attached. >>> >>>Anyone have any issues with this suggestion? >>> >>> >>> >>>Paul >>> >
My System Specs

Similar Threads
Thread	Forum
Hyper-V network questions	Virtual PC
Trouble getting Hyper-V Virtual Network to work with second Network Adapter	Virtual Server
Hyper-V and network redundancy	Virtual Server
Packet sniffer and packet creator	PowerShell
network error MPFP packet inbound filter	Vista networking & sharing