Capturing Guest network packets on Host
Capturing Guest network packets on Host
So I have this little brat of a spyware that is sophisticated enough to avoid both WPF filtering and can detect any other capturing software and drivers like pcap/wincap/etc on Guest. So I cant do any capture on Guest, I need to do it on Host somehow. Problem is, I'm a bit stumped about that:
- I obviously cant do that in Bridged Mode (invisible to pcap)
- I could via NAT but there is no way to distinguish between Host and Guest, at least with acceptable level of effort
- Host-Only is useless for this as far as I can see.
If anyone has experience with similar setup and can help me out I'd appreciate it.
- I obviously cant do that in Bridged Mode (invisible to pcap)
- I could via NAT but there is no way to distinguish between Host and Guest, at least with acceptable level of effort
- Host-Only is useless for this as far as I can see.
If anyone has experience with similar setup and can help me out I'd appreciate it.
-
scottgus1
- Site Moderator
- Posts: 20945
- Joined: 30. Dec 2009, 20:14
- Primary OS: MS Windows 10
- VBox Version: VirtualBox+Oracle ExtPack
- Guest OSses: Windows, Linux
Re: Capturing Guest network packets on Host
Bridged & Promiscuous mode might do it.
Re: Capturing Guest network packets on Host
Yeah, I've tried but not seeing anything from the Guest. It is possible my NIC driver does not support promiscuous. Any other ideas?scottgus1 wrote:Bridged & Promiscuous mode might do it.
-
scottgus1
- Site Moderator
- Posts: 20945
- Joined: 30. Dec 2009, 20:14
- Primary OS: MS Windows 10
- VBox Version: VirtualBox+Oracle ExtPack
- Guest OSses: Windows, Linux
Re: Capturing Guest network packets on Host
How have you tried? From the 'Promiscuous mode" dropdown available in the guest's network card settings? See https://www.virtualbox.org/manual/ch06. ... erformance. Also note the caveat in https://www.virtualbox.org/manual/ch06. ... rk_bridged if your host network card you are Bridging to is wi-fi.Digika wrote:I've tried but not seeing anything from the Guest. It is possible my NIC driver does not support promiscuous
Re: Capturing Guest network packets on Host
I dont use wi-fi, it is wired connection with network cad. Promiscuous mode is enable in the virtual network adapter settings in VB for the machine. Still, in the Wireshark I only see my address available for the interface, but not the Guests.scottgus1 wrote:How have you tried?Digika wrote:I've tried but not seeing anything from the Guest. It is possible my NIC driver does not support promiscuous
UPD: Okay, with virtio-net interface it works but it does not help me much because there is no way for me to distinguish packets between Host and Guest just like with NAT. Darn, back to square 1.
-
scottgus1
- Site Moderator
- Posts: 20945
- Joined: 30. Dec 2009, 20:14
- Primary OS: MS Windows 10
- VBox Version: VirtualBox+Oracle ExtPack
- Guest OSses: Windows, Linux
Re: Capturing Guest network packets on Host
Not having tried this before I don't know what else to suggest on the Virtualbox network setup.
Is your guest OS registering the IP address range change from one network type to another? Bridged should give IP range same as your host PC. NAT should be 10.0.2.15. The guest OS should see these changes and remain connected. (I have anecdotally seen some posters where it appears that a Linux guest does not see the IP range change and does not realign its IP address accordingly, and a manual reset was required.)
Is your guest OS registering the IP address range change from one network type to another? Bridged should give IP range same as your host PC. NAT should be 10.0.2.15. The guest OS should see these changes and remain connected. (I have anecdotally seen some posters where it appears that a Linux guest does not see the IP range change and does not realign its IP address accordingly, and a manual reset was required.)
Re: Capturing Guest network packets on Host
No, the issue is that when I capture packets with Wireshark on my only network interface, they are all originating from my IP (102.168.0.2, for example) even if Guests sends them via NAT (10.x.x.x) or Bridged mode (192.168.0.6, for example). I have no way of distinguishing them.scottgus1 wrote:Is your guest OS registering the IP address range change from one network type to another? Bridged should give IP range same as your host PC. NAT should be 10.0.2.15.
-
scottgus1
- Site Moderator
- Posts: 20945
- Joined: 30. Dec 2009, 20:14
- Primary OS: MS Windows 10
- VBox Version: VirtualBox+Oracle ExtPack
- Guest OSses: Windows, Linux
Re: Capturing Guest network packets on Host
So you're seeing the guest packets, you just can't distinguish them?
The best thing will be to wait until a network sniffer guru shows up.
But here's a possible workaround: Make a second guest, set both to Bridged, put your sniffing software in the second guest. Now go to the host's network card bindings and uncheck everything except Virtualbox NDIS Bridged Network Adapter:

Now the host won't be able to use the network, only the guests, and the sniffers will be on the same 'level' in the network as the spyware guest. Perhaps better filtering could help then?
(At one time it was also necessary to leave the IPv4 binding checked too. If you find it still is necessary, try a static IP address on the host not in any IP address range used by either guest.)
The best thing will be to wait until a network sniffer guru shows up.
But here's a possible workaround: Make a second guest, set both to Bridged, put your sniffing software in the second guest. Now go to the host's network card bindings and uncheck everything except Virtualbox NDIS Bridged Network Adapter:
Now the host won't be able to use the network, only the guests, and the sniffers will be on the same 'level' in the network as the spyware guest. Perhaps better filtering could help then?
(At one time it was also necessary to leave the IPv4 binding checked too. If you find it still is necessary, try a static IP address on the host not in any IP address range used by either guest.)
Re: Capturing Guest network packets on Host
Hmm, I see, this workaround could work but I just dont think my PC can handle both at the same time. Thanks though, I will keep it in mind and will fall back to it if no better solution will be suggested by anyone else:
The best thing will be to wait until a network sniffer guru shows up.
-
fth0
- Volunteer
- Posts: 5690
- Joined: 14. Feb 2019, 03:06
- Primary OS: Mac OS X other
- VBox Version: VirtualBox+Oracle ExtPack
- Guest OSses: Linux, Windows 10, ...
- Location: Germany
Re: Capturing Guest network packets on Host
If the spyware is as sophisticated as you say, what makes you think that it's not sophisticated enough to know that it's running inside a VM and being quiet then?Digika wrote:So I have this little brat of a spyware that is sophisticated enough to avoid both WPF filtering and can detect any other capturing software and drivers like pcap/wincap/etc on Guest.
FWIW, I can usually capture the network traffic of bridged mode guests at the wired and wireless ethernet interfaces of my hosts, using Wireshark, without needing promiscuous mode in the VM settings.
Re: Capturing Guest network packets on Host
I can capture it too, I just cant distinguish it since all packets are as if they are originating form my host. I just need anything I can use to filter out Guest traffic separately, seeing how I'd be running it or hours, waiting for activity.fth0 wrote:FWIW, I can usually capture the network traffic of bridged mode guests at the wired and wireless ethernet interfaces of my hosts, using Wireshark, without needing promiscuous mode in the VM settings.
-
fth0
- Volunteer
- Posts: 5690
- Joined: 14. Feb 2019, 03:06
- Primary OS: Mac OS X other
- VBox Version: VirtualBox+Oracle ExtPack
- Guest OSses: Linux, Windows 10, ...
- Location: Germany
Re: Capturing Guest network packets on Host
When using VirtualBox bridged mode with a wired Ethernet adapter on the host, you can simply use the Ethernet MAC address to distinguish the packets. Only when using a Wi-Fi Ethernet adapter, VirtualBox uses an additional MAC-level NAT.
Re: Capturing Guest network packets on Host
The MAC-address in the packets is mine, not the Guests. I've already mentioned this multiple times. If it wasnt it wouldnt be an issue and I wouldnt be asking the question.fth0 wrote:When using VirtualBox bridged mode with a wired Ethernet adapter on the host, you can simply use the Ethernet MAC address to distinguish the packets. Only when using a Wi-Fi Ethernet adapter, VirtualBox uses an additional MAC-level NAT.
-
fth0
- Volunteer
- Posts: 5690
- Joined: 14. Feb 2019, 03:06
- Primary OS: Mac OS X other
- VBox Version: VirtualBox+Oracle ExtPack
- Guest OSses: Linux, Windows 10, ...
- Location: Germany
Re: Capturing Guest network packets on Host
Yes, but I wasn't sure if you have seen packets from the guest at all.Digika wrote:The MAC-address in the packets is mine, not the Guests. I've already mentioned this multiple times.
Ok, since your description doesn't seem to match the expected behavior, I need some real data:
On the host, get the output of ifconfig /all, start a Wireshark capture, and ping an IP address (e.g. 8.8.8.8 ). Start the VM with Bridged networking mode, get the output of ifconfig /all (Windows) or ifconfig (Linux), ping another IP address (e.g. 8.8.4.4), and shut down the guest. Stop the Wireshark capture, zip all collected information and the VBox.log file and post it here.
-
scottgus1
- Site Moderator
- Posts: 20945
- Joined: 30. Dec 2009, 20:14
- Primary OS: MS Windows 10
- VBox Version: VirtualBox+Oracle ExtPack
- Guest OSses: Windows, Linux
Re: Capturing Guest network packets on Host
Searching for the three letters 'MAC' in this thread reveals that the very first time you said anything about MAC addresses in this thread is the above quote.Digika wrote:The MAC-address in the packets is mine, not the Guests. I've already mentioned this multiple times. If it wasnt it wouldnt be an issue and I wouldnt be asking the question.
So rather than mentioning that MAC addresses are all the same 'multiple times' you only mentioned it once, AFTER fth0 brought the subject up. Your previous mentions that the packets were indistinguishable revolved around IP address, only AFTER I brought up the IP addresses of the guest.
Once you said, "I only see my address " What address? IP, MAC, house? Not descriptive enough.
To snip at fth0 after woefully misrepresenting your provided info is very off-putting. Asking for our help then biting the hand that feeds you will lead to you not being fed anymore. You did not pay for Virtualbox, so you are not entitled to any support. (If you did pay for Virtualbox you would not be here, you would be talking to the devs directly.)
Calm your responses.