Nov 2, 2011
tom

Is it possible to mirror port to capture packets between VM host and VM?

Question

I have 2 physical machines, A and B. A runs VMWare Workstation with a virtual machine C. C is using Bridged network interface.

A and B are both connected via ethernet to a switch. B has two NIC’s. If I used port mirroring on A’s connection to the switch, and then put that into B, would I be able to capture traffic between A and C? Does that traffic go to the switch, or does it get short circuited somehow?

Thanks in advance!

Answer

VMware Workstation network traffic does indeed short-circuit inside of the host machine. Traffic from VMs on that machine to the host itself will never hit that Ethernet switch. It’s a kind of virtual switch inside the Host, so traffic that can be handled locally will be handled locally; no need to forward it to the switch in the closet.

In order to capture that traffic, the capture has to be performed on the host itself. I do this frequently when checking on things like startup-traffic for a VM.

Related posts:

  1. How to capture Wireshark packets when using a switched network in Windows
  2. How to capture packets of VPN
  3. Is there a way to get wireshark to capture packets sent from/to localhost on Windows?
  4. tcpdump How do I use it to capture all traffic headers
  5. pfSense: Possible to traffic capture the actual WAN port?

Leave a comment