Virtual Machine Sniffer on ESX Hosts
If you thought that because all ESX virtual machines (VM) share a virtual portgroup on a virtual switch (vSwitch) inside an ESX host you could easily sniff all VM traffic with a protocol analyzer like ethereal or wireshark, when you tried it you found out you were wrong. If I am not mistaken, ESX vSwitches are considered layer 2 devices and come with all the expected security and isolation. However, you can make some relatively simple vSwitch design and setting changes to turn a VM into a virtual sniffer and monitor all other VMs on that same host. Another option is a free virtual appliance that can allow you to use your physical monitoring tools to watch your VMs. This post explores both of these free VM sniffer alternatives.
I’m going out on a limb here reporting what I’ve learned about VM sniffers, but I figure that passing on what I know so far would be helpful to VM /ETC readers. At the very least, use the info in this post to get you pointed in the right direction. Fill me in on what I’ve missed, please!
First step is to create a new portgroup on the same vSwitch that your VMs are using. If you have to monitor VMs that are using different vSwitches you will need to create a new portgroup on each vSwitch. Creating new portgroups will need to be performed on each ESX host that has VMs that need to be sniffed. I am told that VMSafe will make this process centralized and much easier in the next ESX releases.
Next step is to enable promiscuous mode on the portgroup you just created. Check out page 51 in ESX Configure Guide for how to put a vSwitch in promiscuous mode (http://www.vmware.com/pdf/vi3_35/esx_3/r35u2/vi3_35_25_u2_3_server_config.pdf), but once that is done a VM connected to that portgroup will see all VM traffic on the same vSwitch – even if other portgroups are present. As explained earlier, the boundary is the vSwitch.
Finally, connect a VM with ethereal, wireshark, or whatever network sniffer tool you prefer installed to the portgroup to monitor your traffic.
Free Solera V2P Tap Virtual Appliance
Cody Bunch also posted about Solera Network’s free virtual appliance on his Professional VMware blog in January. I don’t have personal experience using the tool to add, but here is some information from the web site:
“The Solera V2P Tap allows organizations to utilize their existing intrusion detection and prevention systems (IDS/IPS), as well as other standard security tools to analyze network traffic between virtual machines. While originating from the virtual infrastructure, traffic that is regenerated to these security systems appears as any other network traffic and can therefore be analyzed using the same procedures. The virtual tap also runs very efficiently, with minimal CPU utilization.”
The V2P Tap datasheet explains how the appliance works a little more:
“The Solera V2P Tap is a VMware™ virtual appliance that passively captures network traffic flowing through an ESX Server virtual switch. The Solera V2P Tap then regenerates that traffic to any physical port, and then onto the physical wire, for complete visibility into the traffic and analysis by any existing security or management tool for in-depth monitoring or analysis.”
Special Thanks to Chris Wolf and Ken Cline for helping me out via Twitter in understanding how promiscuous mode works with ESX vSwitches. If you are not already, follow these guys for valuable virtualization information! Follow Cody Bunch too!