4 Replies Latest reply on May 11, 2009 10:12 PM by supski

    Add BPF Support to VMWare Fusion Network Interfaces

    serac Novice

      I'm sitting in a SANS course right now at Virginia Tech using my MacBook.  There are lots of other Macs in the room; rough estimate, healthy 10% of 200 folks.  We're all pretty frustrated right now that we can't use tcpdump, Wireshark, EtherApe, or other analysis tools on the VMWare images distributed for the course.  The underlying problem is that VMWare network interfaces (vmnet8, vmnet1) don't implement the BPF interface.  Fusion developers should seriously consider adding support for this.  Lots of folks are using this tool for more than a toy to run MS Office.  All the serious Unix folks I know that have portables have Macs and use them for serious work, including network data capture and security analysis.  We're being forced into inconvenient workarounds right now because of this limitation.

       

      Regards,

      Marvin Addison

      Application Developer

      Virginia Tech

        • 1. Re: Add BPF Support to VMWare Fusion Network Interfaces
          LFowler Lurker

          Agreed.  I'd love to be able to do pcap live.  vmnet-sniffer is a step, but it's not live.

          • 2. Re: Add BPF Support to VMWare Fusion Network Interfaces
            asenci Lurker

            Quick hack to live cap with tcpdump (should work with wireshark too):

             

            $ sudo vmdump vmnet8 -n not icmp and not port 22

             

            /usr/local/sbin/vmdump:

            #!/bin/bash

             

            if echo $ | grep -q '^vmnet[0-9]$'; then   ERRCOUNT='0'   PIDSNIFF='0'   PIDTDUMP='0'   CAPINTF="$"

              CAPFILE="$(mktemp -t capture)"

             

              shift

             

              if rm -f "$"; then     if mkfifo "$"; then

                  /Library/Application\ Support/VMware\ Fusion/vmnet-sniffer \

                    -w "$" "$" >/dev/null || let ERRCOUNT++ &       tcpdump -r "$" ${*} || let ERRCOUNT++ &

             

                  wait

                else

                  let ERRCOUNT++

                fi

              else

                let ERRCOUNT++

              fi

            else

              let ERRCOUNT++

              echo "usage: $(basename $"

            fi

             

            if ; then

              rm -f "$"

            fi

             

            exit "$"

            • 3. Re: Add BPF Support to VMWare Fusion Network Interfaces
              asenci Lurker

              PS: I wish vmnet-sniffer supported "-w-"

              • 4. Re: Add BPF Support to VMWare Fusion Network Interfaces
                supski Lurker

                I have been a VMware Fusion user since day one and I'd like to second the original post.

                 

                Does anyone from VMware care to comment on when/whether we will see BPF support?

                 

                Apparently Parallels does not have this problem.

                 

                I have been a loyal Workstation and Fusion user for several years and I'm not really interested in switching products.  At the same time, I am considering trying Parallels because this is something I'm starting to really need in my daily work.

                 

                If there's a simple enough workaround, that would do just as well...

                 

                Any info greatly appreciated.