Do I need to configure SPAN or tap in a virtual testing environment
1,082 views
Skip to first unread message
Smith
Mar 18, 2017, 5:05:50 AM3/18/17
to security-onion
Dear All,
I am trying to create a virtual lab for testing security onion, and I am using vmware workstation 12 pro as main environment, Do I need to create a virtual tap or some sort of virtual port mirroring ? I am so confused about how security onion can see the traffic in a virtual network such as the default host only network provided by vmware, I am not sure if it's possible or not!!!
I was thinking about connecting the topology in a etherswitch inside gns3 and configuring SPAN ports, I don't know if this is possible! and if there is real need to do such thing.
Thanks very much in advance and have a great day,
I am trying to create a virtual lab for testing security onion, and I am using vmware workstation 12 pro as main environment, Do I need to create a virtual tap or some sort of virtual port mirroring ? I am so confused about how security onion can see the traffic in a virtual network such as the default host only network provided by vmware, I am not sure if it's possible or not!!!
I was thinking about connecting the topology in a etherswitch inside gns3 and configuring SPAN ports, I don't know if this is possible! and if there is real need to do such thing.
Thanks very much in advance and have a great day,
Shane Castle
Mar 18, 2017, 5:29:33 AM3/18/17
to securit...@googlegroups.com
Did you read all the way through this? https://github.com/Security-Onion-Solutions/security-onion/wiki/VMWare-Walkthrough
For my VMware setup, I connected a mirrored port to an unused physical NIC on my system, set up a second bridged network to that NIC using the virtual network editor, and added a virtual NIC to my VM on that network. This works only for monitoring physical network traffic, though, not traffic between VMs.
Sent from my iPad
Sent from my iPad
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Justin Knox
Mar 18, 2017, 7:23:19 AM3/18/17
to securit...@googlegroups.com
Shane's method works quite well.
An alternative, for those with only one physical nic, would be to have the management nic of you SO VM be on the host-only network, and to set your capture nic to share the physical nic.
--Justin
Smith
Mar 18, 2017, 7:50:14 AM3/18/17
to security-onion
Smith
Mar 18, 2017, 7:51:46 AM3/18/17
to security-onion
Shane Castle
Mar 18, 2017, 9:52:39 AM3/18/17
to securit...@googlegroups.com
Here's something you might try, but AFAIK it is untried, or at any rate I could
not find anyone who tried it and published the results.
Set up a new bridged virtual network to an unused physical NIC but don't connect
anything to that NIC. Then add VNICs to your VMs on that network, giving them
all fixed IP addresses, except for the one you add to your SO instance as a
sniffing interface.
If the network is truly bridged then all the VNICs should behave as if
connected to an older ethernet hub rather than a modern switch, but VMware
might be smarter than that. I don't know, and I can't get definite info from the
user manuals.
As I said, it is untried. I suppose I could give it a try myself and report the
results but it would take me a few days.
A more-editable and better-featured virtual network subsystem in VMware
Workstation would be nice. I've wished for an IPv6 DHCP server for some time
now, and IMHO VMware is very late in providing one.
--
Mit besten Grüßen
Shane Castle
On 18.03.2017 12:50, Smith wrote:.
not find anyone who tried it and published the results.
Set up a new bridged virtual network to an unused physical NIC but don't connect
anything to that NIC. Then add VNICs to your VMs on that network, giving them
all fixed IP addresses, except for the one you add to your SO instance as a
sniffing interface.
If the network is truly bridged then all the VNICs should behave as if
connected to an older ethernet hub rather than a modern switch, but VMware
might be smarter than that. I don't know, and I can't get definite info from the
user manuals.
As I said, it is untried. I suppose I could give it a try myself and report the
results but it would take me a few days.
A more-editable and better-featured virtual network subsystem in VMware
Workstation would be nice. I've wished for an IPv6 DHCP server for some time
now, and IMHO VMware is very late in providing one.
--
Mit besten Grüßen
Shane Castle
On 18.03.2017 12:50, Smith wrote:.
Justin Knox
Mar 18, 2017, 12:43:27 PM3/18/17
to securit...@googlegroups.com
Shane's suggestion is worth trying.
Inter VM traffic capture on VMware workstation might be tough. On ESXi, you may be able to get such visibility with the Cisco Nexus 1000v switching add on.
Otherwise you're looking looking at Gigamon's visibility fabric- also on ESXi.
--Justin
Reply all
Reply to author
Forward
0 new messages