This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capture on Second NIC is not complete - VirtualBOX Complication

0

Hello

MY Setup:

WinXP-SP3

NIC #1: 3COM Etherlink XL 10/100 (ethernet)

Bindings: Client for MS Networks; File & Print for MS Net; QOS; AEGIS; MS TCP/IP

NIC #2: SiS 190 100/10 (ethernet)

Bindings: VirtualBox Bridged Network Driver Only

I use this machine as a VirtualBox Host using NIC #1 as network connection

The VBOX Clients use the NIC #2 as their network connection

I then run Wireshark on my HOST and start a capture on NIC #2 - I then start a VBox (Windows) Client

The VBox Client has NIC #2 (Above) as ethernet and has the normal windows binding for MS networking & File sharing etc

In the capture running on the HOST the traffic which is captured is not complete. The only packets captured are broadcast packets: ARP, NetBIOS

Any packet which is not a broadcast is not captured and not seen.

Now that I have written this all out logically, I believe I partially understand what is happening.

When a packet arrives at the VBOX Client which is addressed to that client the VBOX bridge adapter pushes the packet to the appropriate machine IP stack which means it is not seen by the VBOX Host machine.

When a packet arrives at the VBOX Client which is a broadcast address the VBOX bridge adapter (presumably) allows the packet to be seen by other processes which may be listening on the VBOX Host, such as a second VBOX Client participating in the same broadcast space.

This is (presumably) when the VBOX Host sees the packet and it is captured by WINPCap on the VBOX Host.

Side note: Running Wireshark on the VBOX Client virtual machine works normally and all packets are seen.

Is it possible to have WINPCap "sit lower down, be closer to the wire" than any other process ? Namely, before the VBOX bridge driver - No doubt .. it is not.

One last question that you may be able to answer but this is more my ignorance of how Wireshark is written - My understanding (which is clearly wrong) was that a "sniffer" listened to the physical wire OSI-Layer 1 and as such was first to see everything .. ?

Thanks for taking the time to read this - please file it appropriately and make any edits/tags you feel are necessary.

asked 24 Jun '14, 07:09

unstruct's gravatar image

unstruct
11113
accept rate: 0%


One Answer:

1

This isn't a Wireshark question. The application used by Wireshark to capture on Windows is WinPCap, you might get help for the issue over there.

Having said that, it may well be down to the fact that WinPCap is an NDIS 5 driver, and only NDIS 6 allows positioning anywhere in the stack. Unfortunately rewriting WinPCap to be an NDIS 6 driver is a significant undertaking.

Wireshark depends on other applications (WinPCap or libpcap) to actually sniff the traffic using the host OS facilities, and does not itself have access to the any part of the network stack.

Your issue may also be caused by VPN and AV software that installs filter drivers in the stack and prevents WinPCap from seeing the traffic, do you have any such software installed?

answered 24 Jun '14, 07:42

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Thanks - I removed my AV & Firewall (No VPN running) so I am sure that is not the issue - It is simply due to the VirtualBox Bridge driver ... As you say "This isn't a wireshark question" .. but I am happy to work with what I have now I understand the problem better.

(24 Jun '14, 07:51) unstruct