Separate/distinguish traffic when capturing VBox guest?

asked 2020-06-07 14:36:50 +0000

Digika gravatar image

updated 2020-06-07 14:37:53 +0000

I have a following setup:

  • Windows 7 Host (on-board Qualcomm Network Adapter, wired)

  • Windows 10 Guest (virtio-net virtual adapter, Bridged Mode, Promiscuous mode either VM or Allow-all)

My issue is that just like with NAT mode I cant distinguish packets sent from the Guest from the Hosts, so it is impossible for me meaningfully parse the captured packets.

What are my options to be able to filter Guest traffic/requests?

edit retag flag offensive close merge delete

Comments

If in bridged mode, I expect all the hosts/adapters would have their own MAC address. So why can't you filter on MAC if you need to identify the specific host+adapter sending the traffic?

I can understand how NAT could add some difficulty, but another option is to capture inside the VM, so you should not see general host traffic, unless, of course, it is sent to the guest VM.

so it is impossible for me meaningfully parse the captured packets.

Wouldn't at the very least the IP addresses be different? So you would not be able to filter on L2 traffic, but anything L3 and above should be straightforward to filter with a different IPs.

Also you can disable the IPv4 and IPv6 services under the host network adapter and then it should seriously curtail communications on that specific adapter from the host, further isolating the ...(more)

Bob Jones gravatar imageBob Jones ( 2020-06-08 00:31:22 +0000 )edit

For reasons unspecified capturing inside the Guest is not an option.

If in bridged mode, I expect all the hosts/adapters would have their own MAC address.

Well, it isnt. I send ICMP requests from Guest and Wireshark's captured data shows as if they were sent from Host's IP and MAC.

under the host network adapter

Host-Only network adapter does not have access to the outer net, I need to think it just a workstation connected to the interwebs

Digika gravatar imageDigika ( 2020-06-08 09:26:40 +0000 )edit

Well, it isnt. I send ICMP requests from Guest and Wireshark's captured data shows as if they were sent from Host's IP and MAC.

Then you are either really NOT in bridge mode like you think you are, or you are not able to identify the traffic before you in a way to discern the difference. Sounds like you are still in NAT mode.

Host-Only adapter is an option as a configuration in VirtualBox; this is not the same as the host adapter that one might use for bridge mode or one of the other modes. My suggestion is for the host adapter used in bridge mode; indeed, this works for me on a Win10 host with guests, in bridged mode, and I can see the guest traffic (MACs and IPs, too) without issue.

Bob Jones gravatar imageBob Jones ( 2020-06-08 20:37:52 +0000 )edit

There is no such thing as just "Host Adapter" mode, Vbox does not offer that. I AM IN Bridged Mode.

Digika gravatar imageDigika ( 2020-06-08 21:39:25 +0000 )edit
add a comment