VMWare and Promiscuous mode.

Hi Guys,

I'm a bit of a VMWare n00b so apologies, I just use player and server at a basic level. JD recently recommended a software Virtual Appliance that integrates Snort and a few other tools that require sniffing capabilities. I don't have a lot of time at the moment to check this fully but from this post, http://communities.vmware.com/message/371562, it would seem this is only possible on ESX and not the free edition? Can anyone quickly confirm?

Thanks.

Find more posts tagged with

Comments

astorrs

Promiscuous mode is available on VMware Server (the free one) as well. Have a look at the documentation here: http://www.vmware.com/pdf/server_admin_manual.pdf

Ahriakin

Cheers, will have a look through when I get more time.

JDMurray

Promiscuous mode of the VMWare virtual network adapter? Wireshark works for me in both VMWare Server (Free) and ESX.

And that VMOSSIM link I posted is to a virtualized OSSIM release (0.9.9rc2) is obsolete. Just download the latest OSSIM 1.x.x release with the AlienVault installer and install it on a new VMWare image yourself.

Sie

JD et all,

Has anyone found a Virtulisation platform that allows the utilisation of the Physical Wifi Card rather than Ethernet??

(Wifi is emulated as Ethernet on each I have tried...)

astorrs

Sie, you should be able to do this in any hosted hypervisor (MS Virtual Server/Virtual PC, VMware Server/Workstation).

Neither ESX, Xen, Virtual Iron, or HyperV will support it though because they won't have drivers for it in their kernels.

Can anyone speak to KVM?

Sie

Sorry what I meant has anyone managed to get a PCI/PCI-E/PCMCIA/MINI-PCI/MINI-PCIe/EXPRESS CARD Wireless card to work correctly with monitor/promiscuous mode via VMware or Virtual PC.

They dont seem to be supported too well, true I have ony setup one machine on VMware and havent had much time to play around with it but just wonderd if anyone had got this to work.

USB Wireless devices seem to have a better response.....

astorrs

I know the old ORINOCO Gold and Cisco Aironet PCMCIA cards (I will not refer to them as CardBus - I'm stubborn) supported it and I have used both in the past.

Other than those its up to the chipset and driver, or there is always AirPcap, but those are probably a bit fancier than you were looking for (and more expensive).

Sie

I dont think its down to the chipset to be honest I think its the Virtulisation Software.

The reason I come to this conclusion is I have run BT3 on one laptop no problems 'out of the box' from a Live USB, however when installed within a VM it fails to even detect it is a wireless card and only detects a standard (non-wireless) NIC.

Will have to get some time to test it and see.

Thanks for your replies!

astorrs

Yes the virtualization layer will abstract the network resource from the VM, there is nothing you can do about that (it will always appear as a wired NIC), but you should still be able to sniff all the traffic flowing through it if you set both the host and VM cards to promiscuous mode.

larkspur

ok so you can use sniffer on VM so that means you are spanning the swicthport as well?

astorrs

assuming you set the vSwitch to promiscuous mode for the port group, yes.