Support for sniffing vm network traffic?

virtual_jason · ‎10-06-2007

I have installed VMWare Fusion 1.1beta on a Leopard host recently and tried to sniff traffic sent from my VM image over the virtual network device from the host (tcpdump on the host side filtering on the IP given to the virtual host). No traffic appears unfortunately. With bridged networking, sniffing on the host ethernet device shows no traffic from the VM, and if NAT is enabled, you can't even open the vmnet device in promiscuous mode.

Will VMWare Fusion support this functionality? Thanks.

rcardona2k · ‎10-07-2007

I'll let VMware answer your question about host network sniffing functionality. If you this want this to work now, I would wire trace the network in the VM. Wireshark works well for this and it's free.

bruce_m_walker · ‎11-16-2007

I too am interested in this. When I attempt to run Wireshark (on the Mac) on vmnet8 I get ...

The capture session could not be initiated
(BIOCSETIF: vmnet8: Device not configured).

Sniffing net traffic is kind critical for me. I'm running Debian Etch in the VM.

I'll try installing tcpdump in Linux and see what I can get out of that, but being able to sniff from the Mac side is way more useful to me.

-bmw

-bmw

rcardona2k · ‎11-16-2007

You are you on Tiger (10.4) or Leopard (10.5), apparently there's a problem in Leopard in the guest putting the virtual NIC in promiscous mode. VMware are working on the issue. I'll try to test Wireshark on Windows and tcpdump on Ubuntu tonight.

bruce_m_walker · ‎11-16-2007

I'm on Plain Old Tiger (10.4.11). Fusion 1.1 (final).

-bmw

admin · ‎11-16-2007

The vmnet devices don't currently support BPF, which (according to my understanding) is necessary to use tools like tcpdump. As a workaround, try vmnet-sniffer (in /Library/Application Support/VMware Fusion/), which should let you capture packets.

bruce_m_walker · ‎11-16-2007

Thanks, Eric! That helps me. The output from vmnet-sniffer is "one-size-fits-all" apparently, and so it's cluttered with ssh traffic, but at least I can see that my app is sending stuff and getting replies. I appreciate that it can create Wireshark/tcpdump compatible dumps too.

(And definitely your interface must support bpf for tcpdump, or anything else that links to the

pcap(3)

library, to work.)

-bmw

-bmw

admin · ‎11-16-2007

Glad that worked out for you. Sorry about not currently supporting BPF, I've pinged the developers to remind them that people would like to have this.

rcardona2k · ‎11-17-2007

On Leopard attempting to put Ubuntu in promiscuous mode using tcpdump, generates this notice in Fusion:

The virtual machine's operating system has attempted to enable promiscuous mode on adapter Ethernet0. This is not allowed for security reasons.

Please go to the Web page "http://www.vmware.com/info?id=161" for help enabling promiscuous mode in the virtual machine.

But then tcpdump runs and it does capture data for the guest VM. Seems to work OK and there's an option to disable the warning.

Mitch_Haile · ‎01-25-2008

Any update on this? Trying to debug communication with the host/guest is hindered somewhat. vmnet-sniffer is a poor substitute (useful but not as useful as support BPF).

-- Mitch Haile 408-850-0129 (office) mitch.haile@gmail.com

LFowler · ‎04-03-2008

Is there any news on getting this BPF support?

admin · ‎04-03-2008

Is there any news on getting this BPF support?

No, sorry.

LFowler · ‎04-03-2008

Thanks for the update!

bilsch · ‎07-20-2009

Any progress on this?

$ sudo tcpdump -n -i vmnet1

tcpdump: BIOCSETIF: vmnet1: Device not configured

Sniffing from the guest perspective is possible but at times you need to sniff on both ends

admin · ‎07-20-2009

Use /Library/Application Support/VMware Fusion/vmnet-sniffer if you need to sniff from the host. I'm not a network guy but believe BPF support is what's needed for tcpdump to work.

pierswalter · ‎10-16-2010

Testing this under Fusion 3.1.1, tcpdump still doesn't work.

Is BPF support planned for Fusion devices at all?

Should I hold my breath for this?

All

Support for sniffing vm network traffic?