tap interface on internal network
Posted: 13. Nov 2010, 15:53
Is there any way to create a tap on an internal network? I want to play with some IDS devices on my internal network and will need a tap or mirror port to capture all data.
virtualbox.org
End user forums for VirtualBox
https://forums.virtualbox.org/
tap interface on internal network
Page 1 of 1
Re: tap interface on internal network
Posted: 13. Nov 2010, 16:17
You can't sniff Internal Network, it's all in the software. Why not use Host-Only if you want to sniff from the Host?
Re: tap interface on internal network
Posted: 13. Nov 2010, 18:29
I've got a set up of 6 machines on an internal network with one of them also on a bridged connection to the real world. It is setup to simulate an office network behind its own router/firewall.
I do security testing and want to put an IDS on that internal network so I can monitor how various attacks look when ran against those machines.
I could setup a machine between the router (the one on two networks) and the network and have that with two interfaces, one running off to an IDS, and have it transparently tap all the traffic running between the router and the rest of the network but I also want to be able to monitor all traffic inside the network, for example to be able to see the result of one compromised machine being used to try to attack another.
So the tap should be to a machine already on the internal network, not out to the host machine, although that would be ok as I could run the IDS on the host but then I'd have to mess with filtering out all the non-VM traffic.
I do security testing and want to put an IDS on that internal network so I can monitor how various attacks look when ran against those machines.
I could setup a machine between the router (the one on two networks) and the network and have that with two interfaces, one running off to an IDS, and have it transparently tap all the traffic running between the router and the rest of the network but I also want to be able to monitor all traffic inside the network, for example to be able to see the result of one compromised machine being used to try to attack another.
So the tap should be to a machine already on the internal network, not out to the host machine, although that would be ok as I could run the IDS on the host but then I'd have to mess with filtering out all the non-VM traffic.
Re: tap interface on internal network
Posted: 13. Nov 2010, 18:51
Ah, ok. Well it should be possible, but keep in mind that VB simulates a switch instead, there is nothing to sniff. Switches are smart devices that send network traffic to one destination port based on the connected MAC address. It's different compared to a hub, which sends data to all the ports.
Re: tap interface on internal network
Posted: 13. Nov 2010, 19:23
Exactly. What I'm trying to do is to get the switch to either behave like a hub, or to get a mirror port on that switch so I can see all the traffic. This is exactly what I would do in the real world I'm just trying to find a way to do it in the virtual one.
Re: tap interface on internal network
Posted: 13. Nov 2010, 20:16
I don't think a so called 'management port' exists in this virtual one. So your sniffing won't work.
Re: tap interface on internal network
Posted: 13. Nov 2010, 20:27
Shame, that would be a good feature to have.
Re: tap interface on internal network
Posted: 14. Nov 2010, 01:06
You're free to add such a feature 
.
.Re: tap interface on internal network
Posted: 14. Nov 2010, 01:38
Unfortunately with a newborn and work piling up I think it might have to wait for a year or two!
Re: tap interface on internal network
Posted: 14. Nov 2010, 14:24
Congratulations with the baby! I wish you lots of happiness. And work piling up, I know that feeling.
Re: tap interface on internal network
Posted: 14. Nov 2010, 14:27
Thanks