Promiscuous Mode not seeing all packets on physical port

Discussions related to using VirtualBox on Mac OS X hosts.
Post Reply
Alex-S
Posts: 1
Joined: 18. Mar 2021, 01:21

Promiscuous Mode not seeing all packets on physical port

Post by Alex-S »

Hi,

I've seen many of the threads related to this topic, so I'll try to cut through the various initial questions...

Physical switch port (not wifi), MacOS Catalina is the host OS, Virtualbox 6.1 (recently updated to 6.1.18 just to be sure on latest), Network adapters are set to promiscuous mode "all", port is setup to mirror another port on physical switch. Basic config:
Network settings for guest's promiscuous port
Network settings for guest's promiscuous port
Screen Shot 2021-03-17 at 4.06.31 PM.jpg (104.27 KiB) Viewed 4332 times
I'm trying to use VirtualBox to setup a network monitor and netflow generator on Ubuntu. I've successfully done this on physical hardware, but am hoping to keep things consolidated. The host is connected to the switch with 3 adapters (one on VLAN2, another on VLAN3, and one for mirrored traffic). The switch is setup to mirror the main uplink port to a port that the host is connected to.
Network layout
Network layout
Screen Shot 2021-03-17 at 4.05.12 PM.jpg (125.77 KiB) Viewed 4332 times
The Host can see all the packets expected (using tcpdump -i en6 shows packets for everything on the uplink). The guest seems to only see traffic related to the other guest I have, and various broadcast traffic on the network. I've seen people talk about how VirtualBox creates the software network interface and bridges, but it's been unclear to me how that is (or should be) affecting the passing of packets from the physical interface through to the guest.

My expectation is that the guest should see all the same packets that host does on that network interface. Aside from bridging the interface, and enabling promiscuous mode all, is there something I'm missing here? Why can't the guest OS see the packets that are hitting the physical interface? Is it something about MacOS that is not letting the VirtualBox process see all packets? Is this possible? The fact that VirtualBox has an option for "VMs only" vs. "All" suggests to me this should be possible.

Oddly, when I set it to VMs Only, I don't see the traffic to the other VM. I didn't see it clarified in the docs, but I'm guessing VM only means traffic between the VMs, and not traffic with another VM and outside? I don't care as much about VM traffic, though... was just trying it to see behavior.

Any insight/suggestions on how I can get all the packets hitting the physical interface of the host fully passed on to the guest would be appreciated.

Thanks,
-Alex
fth0
Volunteer
Posts: 5668
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: Promiscuous Mode not seeing all packets on physical port

Post by fth0 »

I'm not sure, but I could imagine that the network filter driver, which filters and injects the network frames for the bridged networking mode, does not work promiscuously, and that only the internal switch between the host and the VMs can work promiscuously.

You could try using the host-only networking mode in combination with a macOS network bridge between en6 and the host-only adapter. Please report back if this works or not.
Sterin T Jose
Posts: 1
Joined: 24. Nov 2021, 22:52

Re: Promiscuous Mode not seeing all packets on physical port

Post by Sterin T Jose »

Did anybody got this working ???

I am also trying to achieve the same goal but unsuccessful so far with a few days of trial and errors, and a lot of research on the internet/google/communities.

My Host is MAC OS Sierra Version 10.12.5 (16F73) on Intel (MAC Mini) with Virtual box Version 6.1.28 => Windows 10 VM

Wireshark running on MAC OS is able to get all Ethernet packets including Ethernet multicast (I am not looking for IP multicast)
But Wireshark running on Windows 10 VM is NOT able to get all Ethernet packets including Ethernet multicast even though it is seeing IP broadcast and ICMP packets.

I tried bridged Port option with Promiscuous mode => Allow ALL but whatever I tried didn't give me Ethernet multicast packets available in Physical Port of MAC OS, visible to bridged port on Windows OS.

I also tried to use VBoxManage tool without luck.

Any help is really appreciated.
Post Reply