Hyper-V Network Packet Captures

[J Wolfgang Goerlich]

Hello group,

I am building a security practice lab machine. The host OS is Windows
Server 2008 R2 with Hyper-V. The guests will be Windows 2008, Windows
7, Vista and XP. I would like to setup one guest vm to sniff (capture
network packets) the virtual network. How do I configure the virtual
network to mirror all packets to a specific virtual network adapter?

Thanks in advance,

J Wolfgang Goerlich

[Bill Grant]

"J Wolfgang Goerlich" <jwgoe...@gmail.com> wrote in message
news:8bd72ee2-d0cd-4acb...@s15g2000yqs.googlegroups.com...

Unfortunately you cannot do that. There is no way to put the virtual
network adapter into promiscuous mode so that it can see traffic addressed
to other NICs on the virtual switch.

[J Wolfgang Goerlich]

Ok. How about converting the virtual switch into a virtual hub, to
echo out all the traffic to all attached ports? Is that possible?

[Bill Grant]

You would still need to switch the NICs to promiscuous mode, even on a
hub. And the virtual switch is a switch, not a virtual hub.

"J Wolfgang Goerlich" <jwgoe...@gmail.com> wrote in message

news:8ca727b1-9501-4927...@t13g2000yqt.googlegroups.com...

[J Wolfgang Goerlich]

Good point. Alright, any other option you can think of? Surely there
is a way to capture network traffic between vms in Hyper-V.

[Bill Grant]

None that I know of.

"J Wolfgang Goerlich" <jwgoe...@gmail.com> wrote in message

news:1d102c64-5f65-4fa7...@g10g2000yqh.googlegroups.com...

[J Wolfgang Goerlich]

"Bill Grant" <not.available@online> wrote:
> None that I know of.

Alright. Please let me know if you think of anything.

I will keep at it. I have installed a Win2003 32-bit guest with a
standard network adapter (Microsoft virtual machine bus network
adapter). Installed Wireshark 1.2.1 with WinPcap. Configured WinPcap
to run as a service. Plugged the network adapter into a external
virtual network. The guest is able to sniff all broadcast traffic and
all traffic directed to it.

J Wolfgang Goerlich

[Robert Comer]

>Anyone have any issues with this suggestion?

Maybe I'm missing something, but there's no path from the sniffer to
the other VM's, so no incoming traffic will get to the other VM's, you
need the sniffer to be assigned to all the subnets. And RRAS has to
know all the subnets for any routing to happen for that matter. (you
can assign multiple IP/subnets to the same NIC...)

--
Bob Comer

On Sat, 15 Aug 2009 14:57:46 -0500, "Paul Yhonquea" <no...@none.com>
wrote:

>Been trying to post to this thread all morning... here goes...
>
>Hello,
>
>
>Here is a (wild) shot in the dark. Have the sniffer VM set up as a router
>that all traffic has to pass through (like a default gateway). Address all
>of your VMs like the attached diagram. Have your sniffer machine setup with
>RRAS. Since it will be configured as the default gateway for all other VMs,
>all traffice will have to pass through it. Have the sniffer program examine
>all traffic coming to its 192.168.1.1 interface.
>
>Please examine the diagram I have attached.
>
>Anyone have any issues with this suggestion?
>
>
>
>Paul
>

[Paul Yhonquea]

Hi, Robert,

Have all of the VMs configured to where they use the same virtual network.
All traffic on the network depicted in the diagram has to go through
192.168.1.1 (sniffer/gateway IP) in order for it to get from point A (any
one of the VMs behind the gatway) to point B (any of the other VMs behind
the gateway). All of the VMs are configured on different nets (192.168.2.0,
192.168.3.0, 192.168.4.0, and 192.168.5.0), but all have a 16 bit mask
(255.255.0.0). So the gateway will have to see every packet that hits the
wire.

And if I remember correctly, WireShark is bound to a physical adapter, not
an IP address or subnet. So if the sniffer has one network adapter, all
traffic that goes through it will be detected by WireShark.

Am I making sense in my assumptions? Please let me know.

Paul Yhonquea

"Robert Comer" <bobcomer-...@mindspring.com> wrote in message
news:h45e859re2dfnfrr4...@4ax.com...

[Robert Comer]

>So the gateway will have to see every packet that hits the
>wire.

I thought I was missing something -- the subnet mask of 255.255.0.0,
that explains that, it would probably work as wireshark can handle
that I think. I'm not sure I see any advantage to using the
192.168.x.x subnets though, a single 192.168.1.x would archive the
same results.

--
Bob Comer

On Sat, 15 Aug 2009 15:20:52 -0500, "Paul Yhonquea" <no...@none.com>

[Paul Yhonquea]

Bob,

I do see your point there. I guess I used the different subnets to sort of
guarantee that the traffic does indeed get to the sniffer's interface. I am
not intimately familiar with how the virtual networks work, whether they
work like a virtual hub (where all traffic is broadcast to everyone on that
net regardless), or like a virtual switch (where the only nodes that would
get any of the traffic are those to where the packets were destined).

I was not sure if we were to, for example, have all of the machines on the
same /24 net, would traffic from node A destined for node C be seen by node
B. In a physical environment, only a hub would allow this (with no extra
configuration). A switch would need to be configured to do such a thing
(for example, Cisco's port mirroring).

Your thoughts?

Paul Yhonquea

"Robert Comer" <bobcomer-...@mindspring.com> wrote in message

news:ds6e8518lej237u8g...@4ax.com...

[Robert Comer]

>whether they
>work like a virtual hub (where all traffic is broadcast to everyone on that
>net regardless), or like a virtual switch (where the only nodes that would
>get any of the traffic are those to where the packets were destined).

They act as a virtual switch, so each node only sees packets destined
for that node.

--
Bob Comer

[Paul Yhonquea]

>They act as a virtual switch, so each node only sees packets destined
>for that node.

That was my original belief. So, in theory, do you think my idea about
using the sniffer as a default gateway will work? That is the only way I
can think to get all traffic to the sniffer.

I am open to critiques.

Paul Yhonquea

[Robert Comer]

I've never done that kind of thing myself, but it looks sound. I've
only used wireshark to diagnose single PC's, so I can't say for sure.

--
Bob Comer

On Sat, 15 Aug 2009 20:47:04 -0500, "Paul Yhonquea" <no...@none.com>
wrote:

>>They act as a virtual switch, so each node only sees packets destined

[Bill Grant]

That is pretty much what I would expect. Only broadcast traffic will be
seen. You will not see traffic going from one vm to another (or from a vm to
a machine on the physical LAN). That is all directed traffic (MAC to MAC)
and is only seen by the target machine.

"J Wolfgang Goerlich" <jwgoe...@gmail.com> wrote in message

news:d2c07f80-7eea-4080...@24g2000yqm.googlegroups.com...

[Bill Grant]

"Paul Yhonquea" <no...@none.com> wrote in message
news:e4c$2NhHKH...@TK2MSFTNGP03.phx.gbl...

Packets only go to the default gateway if they need to leave the segment.
If all machines are in the same segment and the same IP subnet they
communicate directly "on the wire" using MAC addresses. Each machine would
need to be in a different IP subnet to force the traffic to use the DG.

So yes, forcing all traffic to use one NIC (which was running a sniffer)
would be worth a try. But it rather defeats the purpose, since you have
dramatically changed the network you are trying to monitor.

[Steve Buckley]

I think the principle is still valid, you generally use a sniffer to inspect
application traffic and sanity-check things like whether encryption is
enabled.
Could make a nice test bed without using a hub (which are increasingly hard
to acquire these days...) ...if it does indeed work.

"Bill Grant" <not.available@online> wrote in message
news:u5qKsthH...@TK2MSFTNGP05.phx.gbl...