Capturing Guest network packets on Host

[Digika]

So I have this little brat of a spyware that is sophisticated enough to avoid both WPF filtering and can detect any other capturing software and drivers like pcap/wincap/etc on Guest. So I cant do any capture on Guest, I need to do it on Host somehow. Problem is, I'm a bit stumped about that:

- I obviously cant do that in Bridged Mode (invisible to pcap)
- I could via NAT but there is no way to distinguish between Host and Guest, at least with acceptable level of effort
- Host-Only is useless for this as far as I can see.

If anyone has experience with similar setup and can help me out I'd appreciate it.

[scottgus1]

Bridged & Promiscuous mode might do it.

[Digika]

Bridged & Promiscuous mode might do it.

Yeah, I've tried but not seeing anything from the Guest. It is possible my NIC driver does not support promiscuous. Any other ideas?

[scottgus1]

I've tried but not seeing anything from the Guest. It is possible my NIC driver does not support promiscuous

How have you tried? From the 'Promiscuous mode" dropdown available in the guest's network card settings? See https://www.virtualbox.org/manual/ch06. ... erformance. Also note the caveat in https://www.virtualbox.org/manual/ch06. ... rk_bridged if your host network card you are Bridging to is wi-fi.

[Digika]

I've tried but not seeing anything from the Guest. It is possible my NIC driver does not support promiscuous

How have you tried?

I dont use wi-fi, it is wired connection with network cad. Promiscuous mode is enable in the virtual network adapter settings in VB for the machine. Still, in the Wireshark I only see my address available for the interface, but not the Guests.

UPD: Okay, with virtio-net interface it works but it does not help me much because there is no way for me to distinguish packets between Host and Guest just like with NAT. Darn, back to square 1.

[scottgus1]

Not having tried this before I don't know what else to suggest on the Virtualbox network setup.

Is your guest OS registering the IP address range change from one network type to another? Bridged should give IP range same as your host PC. NAT should be 10.0.2.15. The guest OS should see these changes and remain connected. (I have anecdotally seen some posters where it appears that a Linux guest does not see the IP range change and does not realign its IP address accordingly, and a manual reset was required.)

[Digika]

Is your guest OS registering the IP address range change from one network type to another? Bridged should give IP range same as your host PC. NAT should be 10.0.2.15.

No, the issue is that when I capture packets with Wireshark on my only network interface, they are all originating from my IP (102.168.0.2, for example) even if Guests sends them via NAT (10.x.x.x) or Bridged mode (192.168.0.6, for example). I have no way of distinguishing them.

[scottgus1]

So you're seeing the guest packets, you just can't distinguish them?

The best thing will be to wait until a network sniffer guru shows up.

But here's a possible workaround: Make a second guest, set both to Bridged, put your sniffing software in the second guest. Now go to the host's network card bindings and uncheck everything except Virtualbox NDIS Bridged Network Adapter:



Now the host won't be able to use the network, only the guests, and the sniffers will be on the same 'level' in the network as the spyware guest. Perhaps better filtering could help then?

(At one time it was also necessary to leave the IPv4 binding checked too. If you find it still is necessary, try a static IP address on the host not in any IP address range used by either guest.)

[Digika]

Hmm, I see, this workaround could work but I just dont think my PC can handle both at the same time. Thanks though, I will keep it in mind and will fall back to it if no better solution will be suggested by anyone else:

The best thing will be to wait until a network sniffer guru shows up.

[fth0]

So I have this little brat of a spyware that is sophisticated enough to avoid both WPF filtering and can detect any other capturing software and drivers like pcap/wincap/etc on Guest.

If the spyware is as sophisticated as you say, what makes you think that it's not sophisticated enough to know that it's running inside a VM and being quiet then?

FWIW, I can usually capture the network traffic of bridged mode guests at the wired and wireless ethernet interfaces of my hosts, using Wireshark, without needing promiscuous mode in the VM settings.

[Digika]

FWIW, I can usually capture the network traffic of bridged mode guests at the wired and wireless ethernet interfaces of my hosts, using Wireshark, without needing promiscuous mode in the VM settings.

I can capture it too, I just cant distinguish it since all packets are as if they are originating form my host. I just need anything I can use to filter out Guest traffic separately, seeing how I'd be running it or hours, waiting for activity.

[fth0]

When using VirtualBox bridged mode with a wired Ethernet adapter on the host, you can simply use the Ethernet MAC address to distinguish the packets. Only when using a Wi-Fi Ethernet adapter, VirtualBox uses an additional MAC-level NAT.

[Digika]

When using VirtualBox bridged mode with a wired Ethernet adapter on the host, you can simply use the Ethernet MAC address to distinguish the packets. Only when using a Wi-Fi Ethernet adapter, VirtualBox uses an additional MAC-level NAT.

The MAC-address in the packets is mine, not the Guests. I've already mentioned this multiple times. If it wasnt it wouldnt be an issue and I wouldnt be asking the question.

[fth0]

The MAC-address in the packets is mine, not the Guests. I've already mentioned this multiple times.

Yes, but I wasn't sure if you have seen packets from the guest at all.

Ok, since your description doesn't seem to match the expected behavior, I need some real data:

On the host, get the output of ifconfig /all, start a Wireshark capture, and ping an IP address (e.g. 8.8.8.8 ). Start the VM with Bridged networking mode, get the output of ifconfig /all (Windows) or ifconfig (Linux), ping another IP address (e.g. 8.8.4.4), and shut down the guest. Stop the Wireshark capture, zip all collected information and the VBox.log file and post it here.

[scottgus1]

The MAC-address in the packets is mine, not the Guests. I've already mentioned this multiple times. If it wasnt it wouldnt be an issue and I wouldnt be asking the question.

Searching for the three letters 'MAC' in this thread reveals that the very first time you said anything about MAC addresses in this thread is the above quote.

So rather than mentioning that MAC addresses are all the same 'multiple times' you only mentioned it once, AFTER fth0 brought the subject up. Your previous mentions that the packets were indistinguishable revolved around IP address, only AFTER I brought up the IP addresses of the guest.

Once you said, "I only see my address " What address? IP, MAC, house? Not descriptive enough.

To snip at fth0 after woefully misrepresenting your provided info is very off-putting. Asking for our help then biting the hand that feeds you will lead to you not being fed anymore. You did not pay for Virtualbox, so you are not entitled to any support. (If you did pay for Virtualbox you would not be here, you would be talking to the devs directly.)

Calm your responses.