Sniffer (e.g., tcpdump) on Centos guest can't see ...

ohaya · ‎12-29-2011

Hi,

I'm trying to setup a new guest on Vmware Workstation (6.5) to run snort. following steps in this doc:

http://www.snort.org/assets/159/Snort_2.9.1_CentOS_5.pdf

The guest is running Centos 5.6, 32bit. The host is Windows 7 Premium (32bit), and I've been able to setup snort, etc., but after I did that, it looks like it wasn't seeing any traffic on the (bridged) network that was external to the guest (via eth1).

So, I tried running tcpdump, and that also doesn't seem to see any of the traffic on the external network/eth1.

I've tried enabling promiscuous inside the guest (ifconfig eth1 promisc) and "ifconfig -a" shows "PROMISC", but still I can't see any external traffic in tcpdump.

If I do something (e.g., ping www.google.com) from inside the guest, tcpdump DOES show that traffic.

Does anyone know what I might need to do to configure this guest so that it can see traffic on that eth1 interface from inside the guest?

Thanks,

Jimj

ohaya · ‎12-29-2011

Hi,

As a sanity check, I installed Wireshark, to see if maybe I was messing up with tcpdump, but that is showing the same behavior, i.e., it's only capturing/seeing traffic that is either originating on or to the Vmware guest (192.168.0.152).

Does anyone have any ideas on this? Is it not possible to enable the guest to see external traffic?

Thanks,

Jim

WoodyZ · ‎12-29-2011

Is the Host's NIC set for promiscuous mode?

ohaya · ‎12-29-2011

Hi,

My host is Windows 7. I didn't know there was a way to check or change promiscuous, so I googled after your post. There's apparently a "netsh bridge show adapter" that's suppose to show the adapters, etc., but when I ran that on my machine, it's showing nothing (nothing is displayed).

I'm going to try to move the guest to another WIn2K3 host that I have, and see if that makes a difference.

Thanks,

Jim

ohaya · ‎12-29-2011

Hi,

Ok, I moved the guest to a Win2K3 machine (instead of the original Win7 machine) as the host, and it looks like it does behave differently on the new guest. I can see traffic on the network outside of the guest on the Win2K3 host, so it must be something with VMware on Win7 vs. on Win2K3.

Does anyone have any ideas? Maybe the promiscuous thing that Woody mentioned (which I can't find how to configure for Win7)?

Thanks,

Jim

Bernd_Nowak · ‎12-29-2011

Google is your friend and I found this one: http://windows7themes.net/enable-promiscuous-mode-manually-in-windows-7.html

ohaya · ‎12-31-2011

Bernd,

I should have mentioned it, but that page was one that I looked at. When I run the netsh command on the Win7 (host) machine, it doesn't show any adapters at all . Again, I should have mentioned that explicitly, but that was what I meant when I said that I couldn't find how to configure promiscuous on the host.

Jim

Bernd_Nowak · ‎01-01-2012

My fault as it's for the bridge feature in Windows 7.

But you said your eth1 is connected to a network device. If it's a switch you should only see the network traffic from the eth1 device to the switch. A hub would show all network traffic.

I read a bit and I know that I have done network sniffing with VMware workstation and even with vSphere VMs but because of all the real switches in the network I could only see the VM related packets.

On a switch you might look for a monitor function. This would give you access to the other network traffic on the monitor port. But not all switches allow this.

Dennis_in_NH · ‎01-01-2012

Bernd, switch vs. hub is my guess too.

There are times when I've downgraded those fancy switches to the old hubs just so I can do sniffing (e.g., be able to see traffic other than that destined for my interfaces (and multicast, broadcast).

Other topic: snort apparently is open source IDP -- sounds really cool.

Dennis

All

Sniffer (e.g., tcpdump) on Centos guest can't see external traffic?