walts
Contributor
Contributor

Wireshark doesn't see vmnet interfaces

Jump to solution

I'm trying to sniff traffic between my Leopard (10.5.7) host using Wireshark 1.0.2.

Wireshark shows interfaces en0, en1, en3 and lo0, but ifconfig shows vmnet1 and vmnet8

I want to sniff traffic between the Mac host and a Windows VM (NAT), but the traffic never shows up in Wireshark. The Windows VM communicates normally with the outside network.

Can anyone help me set this up correctly?

Walt

Here is the ifconfig output:

TestComputer:~ walts$ ifconfig

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384

inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1

inet 127.0.0.1 netmask 0xff000000

inet6 ::1 prefixlen 128

gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280

stf0: flags=0<> mtu 1280

en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500

ether 00:25:00:d0:08:b4

media: autoselect status: inactive

supported media: none autoselect 10baseT/UTP <half-duplex> 10baseT/UTP <full-duplex> 10baseT/UTP <full-duplex,flow-control> 10baseT/UTP <full-duplex,hw-loopback> 100baseTX <half-duplex> 100baseTX <full-duplex> 100baseTX <full-duplex,flow-control> 100baseTX <full-duplex,hw-loopback> 1000baseT <full-duplex> 1000baseT <full-duplex,flow-control> 1000baseT <full-duplex,hw-loopback>

fw0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 4078

lladdr 00:25:00:ff:fe:d0:08:b4

media: autoselect <full-duplex> status: inactive

supported media: autoselect <full-duplex>

en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500

inet 192.168.1.144 netmask 0xffffff00 broadcast 192.168.1.255

ether 00:23:6c:99:eb:b1

media: autoselect status: active

supported media: autoselect

en3: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500

ether 00:25:00:52:2a:a6

media: autoselect status: inactive

supported media: none autoselect 10baseT/UTP <half-duplex>

vmnet8: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500

inet 192.168.246.1 netmask 0xffffff00 broadcast 192.168.246.255

ether 00:50:56:c0:00:08

vmnet1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500

inet 192.168.97.1 netmask 0xffffff00 broadcast 192.168.97.255

ether 00:50:56:c0:00:01

TestComputer:~ walts$

===========================

0 Kudos
1 Solution

Accepted Solutions
admin
Immortal
Immortal

I'm not sure what the P option is, but your problem is that you need to use sudo (otherwise anyone on the host can sniff guest traffic, even from other users). So for example:

~ etung$ sudo /Library/Application\ Support/VMware\ Fusion/vmnet-sniffer -e vmnet8
len  590 src 00:0c:29:f1:60:ab dst ff:ff:ff:ff:ff:ff IP src 0.0.0.0         dst 255.255.255.255 UDP src port 68 dst port 67
len   62 src 00:50:56:f6:df:47 dst ff:ff:ff:ff:ff:ff IP src 172.16.203.254  dst 172.16.203.132  ICMP ping request - len=28 type=8

Once I get vmnet-sniffer to work it's a two-step process, capture to a file and analyze the file in Wireshark, correct?

Yep. Another option would be to take captures in the guest.

As far as the forum software, see the plain text markup button for tips. Square brackets are used for links (but are frequenly misinterpreted from other contexts); the code tag uses curly braces.

View solution in original post

0 Kudos
6 Replies
admin
Immortal
Immortal

I'm not sure of the low-level details of Wireshark, but we don't implement some optional network interface features like BPF, which is why Wireshark might not be working. As a workaround, try /Library/Application Support/VMware Fusion/vmnet-sniffer.

walts
Contributor
Contributor

I found that program in my searching before I posted - but it didn't seem to do anything at all. Perhaps it was in the way I specified the port?

I assume that the P in eP is a prot identifier:

TestComputer:~ walts$ /Library/Application\ Support/VMware\ Fusion/vmnet-sniffer -h

vmnet-sniffer: illegal option -- h

usage: /Library/Application Support/VMware Fusion/vmnet-sniffer if

-e: show ethernet header

-w: output in raw format to specified file

(readable by tcpdump/ethereal)

TestComputer:~ walts$

but numbers don't work, and the port designation given by ifconfig don't either.

Here's a log:

TestComputer:~ walts$ /Library/Application\ Support/VMware\ Fusion/vmnet-sniffer -e vmnet8

Connect to vmnet kext failed: errno 1

Once I get vmnet-sniffer to work it's a two-step process, capture to a file and analyze the file in Wireshark, correct?

Thanks for the help

Walt

- sorry, the italics are clips from a terminal session. Evidently this forum doesn't support tags Smiley Happy I don't know how to get rid of the funny symbols in the help text.

W.

0 Kudos
admin
Immortal
Immortal

I'm not sure what the P option is, but your problem is that you need to use sudo (otherwise anyone on the host can sniff guest traffic, even from other users). So for example:

~ etung$ sudo /Library/Application\ Support/VMware\ Fusion/vmnet-sniffer -e vmnet8
len  590 src 00:0c:29:f1:60:ab dst ff:ff:ff:ff:ff:ff IP src 0.0.0.0         dst 255.255.255.255 UDP src port 68 dst port 67
len   62 src 00:50:56:f6:df:47 dst ff:ff:ff:ff:ff:ff IP src 172.16.203.254  dst 172.16.203.132  ICMP ping request - len=28 type=8

Once I get vmnet-sniffer to work it's a two-step process, capture to a file and analyze the file in Wireshark, correct?

Yep. Another option would be to take captures in the guest.

As far as the forum software, see the plain text markup button for tips. Square brackets are used for links (but are frequenly misinterpreted from other contexts); the code tag uses curly braces.

View solution in original post

0 Kudos
bwanaaa
Contributor
Contributor

same problem here.

running this on terminal on the macbook pro host using snow leopard and the latest fusion

i am getting these errors:

dumbuser$ vmnet-sniffer -e vmnet8
Connect to vmnet kext failed: errno 1
dumbuser$ vmnet-sniffer -e vmnet8 -w testdump
Connect to vmnet kext failed: errno 1

ok , help, please

0 Kudos
WoodyZ
Immortal
Immortal

As shown in the example by Eric (etung) you need to use sudo with vmnet-sniffer, otherwise you will not have access to the device. Smiley Wink

0 Kudos
bwanaaa
Contributor
Contributor

Ok, that gave me a blank line- I assume the process is running. I did stuff then ctrl C out of the process but could not find the capture file. Oops. Is there a way to stop the sniff and save the capture file?

Stefan

0 Kudos