Running Wireshark On A Vm On A Server

[bwanaaa]

hoping for the virtual machine to be a 'network tap'.

configuration is an intel mac with an airport card and several usb nics. The airport card is for connectivity to the internet. the usb nics provide connectivity to the local lan. internet sharing is used on the mac to distribute internet access and the mac is also a file repository.

Internet sharing on the mac results in a dhcp serving addresses in a different class c for each nic-so one nic for example will get 192.168.2.x, the next nic gets 192.168.3.x, etc. This allows each nic to service a whole lan segment. Wireshark installed on the mac sees all interfaces and allows monitoring of traffic. I do not want to run wireshark natively on the mac. It's a production machine and messing around with the bare metal is discouraged. A virtual appliance is perceived as safer (even though it may not be, i cannot convince the responsible higher ups)

So, vmware fusion is set up on the mac to run an instance of windows xp sp3. wireshark is installed on windows.in this configuration, wireshark only sees the airport but not the usb nics. The network adapters are set up in bridged mode on vmware. Is there a tutorial that clarifies setup for the nics in fusion and the proper ip addresses they should have in windows? Should they be bridged there as well? If i use the same ip as that used on the mac, obviously i get an ip address conflict.

I was hoping for the virtual machine to be a 'network tap' but it's having trouble seeing the nics, let alone the traffic that is not even destined for it. i guess another way to solve this problem is to get the traffic to go through the xp instance. XP would need a dhcp server running. This dhcp server would service the nics. i tried tftpd but that is a little too rudimentary- it does not see the virtual interfaces. i'll keep looking but need some enlightenment.

please be gentle.

[Mr-Protocol]

If this is a work computer, you will be breaking a few laws by hooking up a network tap (if done at work).

In order for your VM to see USB you need to use USB Passthrough.

[digip]

Problem is you can only use the USB adapter son one or the other. I don't believe you can have the USB device be seen by both operating systems at the same time. In order for wireshark to monitor it, it has to be local to its OS. This would make them unusable to the host machine. Resolution, install wireshark on the host machine, and you will need to either run an instance of wireshark for each nic, or, create a virtual nic/bridged adapter, and monitor the bridged adapter.

I'm curious as to why people feel wireshark is a risk though, and requires running in a VM though? Unless you know something we don't I'd be interested in knowing what they think the issue with it would be to run it on the box natively.

[Mr-Protocol]

Wireshark is seen as a risk because of what it does. At my work we were going to use it to troubleshoot network problems. Until they found out from me that its much more than packet loss analyzer. Yeah they dont want people potentially seeing credentials for pash the hash and what not.

Although people can still do it if savvy ;)

[bwanaaa]

Problem is you can only use the USB adapter son one or the other. I don't believe you can have the USB device be seen by both operating systems at the same time.

yes, that's what i thought. i read a little about the concept of a loopback.of course this is what i want to avoid

In order for wireshark to monitor it, it has to be local to its OS. This would make them unusable to the host machine. Resolution, install wireshark on the host machine, and you will need to either run an instance of wireshark for each nic,

basically i would do this

or, create a virtual nic/bridged adapter, and monitor the bridged adapter.

i want to get the xp instance to act as a bridge and run wireshark on it. so it looks like this:

client (lans with pc, mac, iphone, ipad) -> usb nics & native ethernet port -> mac server ->virtual ports on vm(1 port for each hardware device) to windows ->wireshark->one other virtual port to airport -> router with wireless access point ->internet

the router has a firewall and nat. firewall on the mac server is off for testing. firewall on the windows instance is off for testing.

need direction on how to do this in windows. or would it be easier to do in a an instance of ubuntu on the command line? or other linux distro running as a vm?

[bwanaaa]

If this is a work computer, you will be breaking a few laws by hooking up a network tap (if done at work).

In order for your VM to see USB you need to use USB Passthrough.

what is a usb passthrough?

this is being done for a school library, and signs are posted at every pc that communications on the pcs are school property. i disagree with that concept-it's just indoctrinating youth into giving up their privacy and identity as a way of life. but then again, i dont make the rules. the other advantage of this working on a vm is its portability to other nodes.

[Mr-Protocol]

Solution: Stop trying to do it in a virtual area. It should be done on a server in a data closet. Most switches have "Monitor" ports on them.

Or you can just contract it out for example: NetScout.com

I have one of their hardware taps I'd be willing to part with ;)

http://forums.hak5.org/index.php?showtopic=20601