Network sniffing with Virtual PC / Virtual Server

Network sniffing with Virtual PC / Virtual Server

  • Comments 2

Is not a good idea.  Sorry.  Every now and then someone asks me whether Virtual PC / Virtual Server can be used to run network sniffing applications to perform analysis of general network traffic - and the answer is 'Yes and no and not really'.

The 'Yes' part is that Virtual PC / Virtual Server do support having the virtual network card put into promiscuous mode and can run network sniffing applications to gather any network traffic going by.

The 'No' part is because the virtual network created for virtual machines acts like a network hub with a switched uplink connection.  This means that the virtual machine will only see network traffic that is headed for virtual machines connected to the same virtual network as itself.  It will not see network traffic that is headed for the host operating system, or for any other physical computers on the network.

This is a show stopper for most people - as they are usually interested in monitoring network traffic between physical computers, not virtual machines.

Cheers,
Ben

Leave a Comment
  • Please add 7 and 4 and type the answer here:
  • Post
  • Hi Ben,

    Just a small comment on this. I happen to run a network sniffer in a Virtual Machine (ok, running on vmware, but should not matter) and I am monitoring all traffic going to the internet and out, from all Virtual and Physical machines in my network. The way to do this, is to 'just' have a managed switch and use the port mirroring option. Most manages switches allow you to do this. It will copy all data going to one port (in my case the port that has my router in it) to an other port. This other port is connected to my special virtual machine network, called sniffer network :-) Works great for me. So in some cases Virtual Machines work as excellent network sniffers/analyzers :-)
  • So that mirrored port runs to a second NIC on your box, I assume?  Does that have any effect on the rest of the system?  I've thought of doing something similar.  Keeping the 2 NICs from interfering with eachother has always been my problem.

Page 1 of 1 (2 items)