Sniffing HOST traffic from guest.

This is for discussing general topics about how to use VirtualBox.
Post Reply
JamesNorris
Posts: 2
Joined: 6. Jul 2019, 14:40

Sniffing HOST traffic from guest.

Post by JamesNorris »

Hi Team,

I have one use case. Can anyone help me which networking mode of the virtualbox help me execute it ?

I have one windows 64 bit host with ubuntu guest.

Now i want to intercept host traffic from guest, using wireshark. Which networking mode will support it ?

There can be two ways of achieving this,

1) If guest can see all traffic of host,
or
2) If i mirror some specific ports of host to guest.

Any help would be appreciated.
socratis
Site Moderator
Posts: 27330
Joined: 22. Oct 2010, 11:03
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5
Location: Greece

Re: Sniffing HOST traffic from guest.

Post by socratis »

There's a combination of things that need to be done in order for this to work, it's not an easy one.

Your typical, default NAT works like this:
+-------+    +-------+
| Guest |--> | Host  |--> Router -> Internet
+-------+    +-------+
Your Guest *has* to go through the Host, it doesn't work the other way round.

Your Bridged mode means that the Guest is using a Host's NIC to access the Router:
+-------+
| Host  |---+-> Router -> Internet
+-------+   |
+-------+   |
| Guest |---+
+-------+
What you're looking for is to "cut" the Host-to-Router connection (red dashes in the diagram above) and establish a Host-to-Guest connection, something that's going to be running as a gateway to your Host:
+-------+
| Host  |   +-> Router -> Internet
+---+---+   |
    |       |
+---+---+   |
| Guest |---+
+-------+
That gateway from what I've seen proposed time and time again is called pfSense and it's running in your Guest. Search for "pfSense site:forums.virtualbox.org" and read the instructions in the topics that you'll find.


We should make a HowTo for this someday...
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
JamesNorris
Posts: 2
Joined: 6. Jul 2019, 14:40

Re: Sniffing HOST traffic from guest.

Post by JamesNorris »

Hi Socratis,

Thank you very much for your reply. I am going to try it today.
Post Reply