Poor man’s port mirroring in VMware ESXi

Mirroring ports is a method of monitoring network traffic. Basically, the switch sends a copy of the packets to another port. If we connect a listening software, better known as a “sniffer” (tcpdump, wireshark etc.), we can log all packets sent to this port and analyze them. This is quite usefull in testing scenarios.

VMware ESXi added port mirroring since version 5 but you need a distributed switch configured. If you have only 1 ESXi host, this feature is nonexistent .

It is quite simple to get the same functionality without a distributed switch on a single host:

  1. Create a new port group in the desired vSwitch.
  2. Put the port group in promiscous mode.
  3. Set the VM which you need to capture its traffic (let’s call it Test VM) into the new port group.
  4. Create a new VM which will act the sniffer (and call it sniffer)  and add it to the above mirrored port group.

All traffic to and from Test VM will be captured by sniffer as well. Here is how it looks:

esx_port_mirror

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s