Sniffing Internal Networks From a Guest Machine

Discussions related to using VirtualBox on Windows hosts.
Post Reply
btrichardson
Posts: 2
Joined: 27. May 2010, 01:32
Primary OS: MS Windows Vista
VBox Version: PUEL
Guest OSses: Windows XP, Ubuntu

Sniffing Internal Networks From a Guest Machine

Post by btrichardson »

Hello all,

I've searched Google and this forum for an answer to my question, and the only true answer I saw that seemed to work for someone else didn't work for me.

I am running VirtualBox 3.1.6r59338 on a 64-Bit Windows Vista host. I have three virtual machines all connected to a VirtualBox internal network, and I want to be able to sniff the internal network from one of the virtual machines as if it were connected to a SPAN port or the internal network was created using a dumb hub. It is evident from the documentation that VirtualBox has implemented a complete Ethernet switch for use with the internal network, and states that the switch implemented supports promiscuous mode. However, I cannot figure out how to get the internal network switch into promiscuous mode to see if this will support me sniffing traffic from a virtual machine.

As I stated above, I found a different solution that worked for someone else (using a host-only network rather than an internal network), but that solution did not work for me for some reason.

Thank you in advance for your help!

--
Bryan
Perryg
Site Moderator
Posts: 34369
Joined: 6. Sep 2008, 22:55
Primary OS: Linux other
VBox Version: OSE self-compiled
Guest OSses: *NIX

Re: Sniffing Internal Networks From a Guest Machine

Post by Perryg »

Network: promiscuous mode support for e1000 and paravirtualized adapters (bug #6519)
Fixed in Version 3.1.8 (2010-05-10)
btrichardson
Posts: 2
Joined: 27. May 2010, 01:32
Primary OS: MS Windows Vista
VBox Version: PUEL
Guest OSses: Windows XP, Ubuntu

Re: Sniffing Internal Networks From a Guest Machine

Post by btrichardson »

Ah yes, ok, that seemed to do the trick. Thanks Perry!

So, now I'm having another problem (which may or may not deserve its own thread). I have three virtual machines connected to the same internal network (10.0.1.0/24), two of them running emulated Cisco routers via Dynamips (10.0.1.1 and 10.0.1.254), and the third one just a regular ol' networked machine (10.0.1.17). Now, when I ping either one of the router addresses from the 1.17 VM, I start getting DUP packets like crazy. Is this an artifact of the virtual NICs on the two VMs running Dynamips being in promiscuous mode? Is there a way to turn promiscuous mode on or off for a particular virtual NIC?

--
Thanks!
Bryan
Perryg
Site Moderator
Posts: 34369
Joined: 6. Sep 2008, 22:55
Primary OS: Linux other
VBox Version: OSE self-compiled
Guest OSses: *NIX

Re: Sniffing Internal Networks From a Guest Machine

Post by Perryg »

Ah the old NAT limitations. See chapter 6.3.3. NAT limitations in your VirtualBox users guide and see if this may be part of the problem.
watkins
Posts: 1
Joined: 28. May 2010, 05:55
Primary OS: MS Windows Vista
VBox Version: PUEL
Guest OSses: Linux, Windows

Re: Sniffing Internal Networks From a Guest Machine

Post by watkins »

Perryg, thanks for your help thus far - you have been a great resource.

I am working with Bryan on this project. We are not using NAT. Instead, what we are seeing is a flurry of duplicate packets, regardless of whether the packets are ICMP echoes or standard TCP messages. My suspicion is that internal networking within VirtualBox is not getting along with Dynamips, which we are using to route between internal networks.

Here is an example of what is happening. We have a two Dynamips routers, both with an interface on an internal network named "InternalNet". One host is present on "InternalNet". Router1's interface has address 10.0.0.1, Router2's interface has address 10.0.0.254, and the host has address 10.0.0.100. When I ping 10.0.0.1 (Router1) from the host, I get a bunch of duplicate replies from - here is the crazy part - 10.0.0.254 (Router2). That's right - Router2 is responding to pings addressed to Router1!

Any ideas on what is causing this? My theory is that the virtual networking technique used by VirtualBox is conflicting with the technique used by Dynamips. From what I can tell, the Dynamips router interface uses a MAC address not bound to the interface in the guest OS, so some voodoo has to go on for the Dynamips router to "see" traffic destined to it. Whatever is going on, it is complicated, and it is starting to hurt my brain :-(

Any help would be greatly appreciated!


Cheers,

Will
Perryg
Site Moderator
Posts: 34369
Joined: 6. Sep 2008, 22:55
Primary OS: Linux other
VBox Version: OSE self-compiled
Guest OSses: *NIX

Re: Sniffing Internal Networks From a Guest Machine

Post by Perryg »

I could speculate what is taking place here and it would be a 50-50 shot but that could cause you to take an avenue that was wrong. Instead you may need to take this to the only people that know the inside workings of the product the DEVs. You should report this to bugtracker. You will need to setup an account there as it is on a different system. DO not forget to provide them a guest log file (as an attachment). They are really strict about that.
It would also help if you can post the ticket number here so other can see the progress, add information, or see the final results.
Post Reply