vSwitch Port Mirroring
Posted by Chris on May 1, 2011
Say you want to set up Wireshark in a guest VM to capture traffic from other guest VM’s on a particular vSwitch. Those familiar with VMware know that vSwitches and Port Groups have a promiscuous mode setting that will mirror traffic to every port on the vSwitch. This works well except for the fact that all of the virtual machines on that particular vSwitch or belonging to that port group also receive a copy of every other VM’s traffic.
A simple work around for this is to create a separate port group, apply the promiscuous mode setting at the port group level, then add the guest VM to the new port group.
What is a Port Group?
First off, I think Port Groups should have been called Switchport Groups because they contain many of the settings commonly applied to a physical switch port. These include security, traffic shaping, NIC teaming and failover configuration. A single vSwitch can contain multiple port groups. We can leverage this capability to isolate our packet capture VM and in effect configure a single SPAN port on the vSwitch.
To create a new port group go to the Properties of the vSwitch, click Add, select Virtual Machine then click Next.
In the Port Group Properties give the new port group a descriptive name by changing the Network Label. In this case we’ll call the port group “Monitor”. Click Next and then Finish.
To change the port group security settings to use promiscuous mode, highlight the Monitor port group and click Edit.
Under the Security tab, check the box next to Promiscuous Mode and change the drop down to Accept, then click Ok.
Lastly, add the guest VM to the new port group by editing the network adapter settings. My monitoring VM is called Win7-01. Select the VM in the inventory, click Edit Settings, Network Adapter and then select the newly created port group (Monitor) from the drop down.
The vSwitch and port group configuration should now look something like this. You can launch Wireshark in the guest VM and securely capture packets from the entire vSwitch without impacting performance.