I'm trying to sniff traffic between my Leopard (10.5.7) host using Wireshark 1.0.2.
Wireshark shows interfaces en0, en1, en3 and lo0, but ifconfig shows vmnet1 and vmnet8
I want to sniff traffic between the Mac host and a Windows VM (NAT), but the traffic never shows up in Wireshark. The Windows VM communicates normally with the outside network.
Can anyone help me set this up correctly?
Walt
Here is the ifconfig output:
TestComputer:~ walts$ ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 00:25:00:d0:08:b4
media: autoselect status: inactive
supported media: none autoselect 10baseT/UTP <half-duplex> 10baseT/UTP <full-duplex> 10baseT/UTP <full-duplex,flow-control> 10baseT/UTP <full-duplex,hw-loopback> 100baseTX <half-duplex> 100baseTX <full-duplex> 100baseTX <full-duplex,flow-control> 100baseTX <full-duplex,hw-loopback> 1000baseT <full-duplex> 1000baseT <full-duplex,flow-control> 1000baseT <full-duplex,hw-loopback>
fw0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 4078
lladdr 00:25:00:ff:fe:d0:08:b4
media: autoselect <full-duplex> status: inactive
supported media: autoselect <full-duplex>
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.1.144 netmask 0xffffff00 broadcast 192.168.1.255
ether 00:23:6c:99:eb:b1
media: autoselect status: active
supported media: autoselect
en3: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 00:25:00:52:2a:a6
media: autoselect status: inactive
supported media: none autoselect 10baseT/UTP <half-duplex>
vmnet8: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.246.1 netmask 0xffffff00 broadcast 192.168.246.255
ether 00:50:56:c0:00:08
vmnet1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.97.1 netmask 0xffffff00 broadcast 192.168.97.255
ether 00:50:56:c0:00:01
TestComputer:~ walts$
===========================
I'm not sure what the P option is, but your problem is that you need to use sudo (otherwise anyone on the host can sniff guest traffic, even from other users). So for example:
~ etung$ sudo /Library/Application\ Support/VMware\ Fusion/vmnet-sniffer -e vmnet8 len 590 src 00:0c:29:f1:60:ab dst ff:ff:ff:ff:ff:ff IP src 0.0.0.0 dst 255.255.255.255 UDP src port 68 dst port 67 len 62 src 00:50:56:f6:df:47 dst ff:ff:ff:ff:ff:ff IP src 172.16.203.254 dst 172.16.203.132 ICMP ping request - len=28 type=8
Once I get vmnet-sniffer to work it's a two-step process, capture to a file and analyze the file in Wireshark, correct?
Yep. Another option would be to take captures in the guest.
As far as the forum software, see the plain text markup button for tips. Square brackets are used for links (but are frequenly misinterpreted from other contexts); the code tag uses curly braces.
I'm not sure of the low-level details of Wireshark, but we don't implement some optional network interface features like BPF, which is why Wireshark might not be working. As a workaround, try /Library/Application Support/VMware Fusion/vmnet-sniffer.
I found that program in my searching before I posted - but it didn't seem to do anything at all. Perhaps it was in the way I specified the port?
I assume that the P in eP is a prot identifier:
TestComputer:~ walts$ /Library/Application\ Support/VMware\ Fusion/vmnet-sniffer -h
vmnet-sniffer: illegal option -- h
usage: /Library/Application Support/VMware Fusion/vmnet-sniffer if
-e: show ethernet header
-w: output in raw format to specified file
(readable by tcpdump/ethereal)
TestComputer:~ walts$
but numbers don't work, and the port designation given by ifconfig don't either.
Here's a log:
TestComputer:~ walts$ /Library/Application\ Support/VMware\ Fusion/vmnet-sniffer -e vmnet8
Connect to vmnet kext failed: errno 1
Once I get vmnet-sniffer to work it's a two-step process, capture to a file and analyze the file in Wireshark, correct?
Thanks for the help
Walt
- sorry, the italics are clips from a terminal session. Evidently this forum doesn't support tags I don't know how to get rid of the funny symbols in the help text.
W.
I'm not sure what the P option is, but your problem is that you need to use sudo (otherwise anyone on the host can sniff guest traffic, even from other users). So for example:
~ etung$ sudo /Library/Application\ Support/VMware\ Fusion/vmnet-sniffer -e vmnet8 len 590 src 00:0c:29:f1:60:ab dst ff:ff:ff:ff:ff:ff IP src 0.0.0.0 dst 255.255.255.255 UDP src port 68 dst port 67 len 62 src 00:50:56:f6:df:47 dst ff:ff:ff:ff:ff:ff IP src 172.16.203.254 dst 172.16.203.132 ICMP ping request - len=28 type=8
Once I get vmnet-sniffer to work it's a two-step process, capture to a file and analyze the file in Wireshark, correct?
Yep. Another option would be to take captures in the guest.
As far as the forum software, see the plain text markup button for tips. Square brackets are used for links (but are frequenly misinterpreted from other contexts); the code tag uses curly braces.
same problem here.
running this on terminal on the macbook pro host using snow leopard and the latest fusion
i am getting these errors:
ok , help, please
As shown in the example by Eric (etung) you need to use sudo with vmnet-sniffer, otherwise you will not have access to the device.
Ok, that gave me a blank line- I assume the process is running. I did stuff then ctrl C out of the process but could not find the capture file. Oops. Is there a way to stop the sniff and save the capture file?
Stefan