Ask Your Question
0

Wireshark on virtualbox guest machine does not see specific packets, while the host does see the packet

asked 2018-04-05 08:52:46 +0000

erem gravatar image

updated 2018-04-10 07:55:15 +0000

grahamb gravatar image

L.S.,

I hope someone can shed some light on the problem below, I am at the end of my rope

I run virtualbox 5.2.8 on a WIN7 machine, with a virtual machine running unbuntu 16.04. I have the virtual machine network adapter in bridged mode.

I am trying to detect the presence of an iphone on the network by doing a SYN-SYN-ACK-ACK three way handshake on port 62078 on the iPhone. (it is very difficult to detect iPhones ;-)) When I run wireshark on the host, I see the SYN packet leave the virtual machine, and I see the return SYN-ACK packet arrive at the host. I also run wireshark on the VM, and I see the SYN packet leave, but never see the return SYN-ACK packet, while see it in the capture on the host.

Since the VM adapter is in bridged mode, it should see ALL traffic on the host adapter. I am at the end of my rpe here.... Any help or guidance is appreciated.

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
1

answered 2018-04-10 08:36:42 +0000

grahamb gravatar image

I can't be definite about this (I haven't tested) but I would be surprised (for security reasons) if a VB guest was able to capture non-VM traffic from the hosts NIC.

I suspect the allow_all promiscous setting is only intended to allow all VM traffic, not to include host traffic, or even other traffic that may be passing the host NIC. Looking at the 3 promiscuous mode options:

  • deny - only traffic for the VM guest
  • allow-vms - only traffic for other vms
  • allow-all - all VM traffic, i.e. the superset of the other 2 options.

That you can capture the outgoing packet from the host might be allowed through the Virtual NIC because of a bug or because it meets the VNIC filtering criteria.

Regardless of the above guesses, the best place to take this up would be with the VBox folks.

edit flag offensive delete link more

Comments

Graham,

thanks, i do have that question out with the VM folks. However, if both adapters (host and VM) are in full promiscuous mode, they should see the packet. All other traffic (like mDNS, ICMP, ARP etc does show up in both instances of wireshark.

anyway, thanks for taking the time to reply

Regards,

Rob

erem gravatar imageerem ( 2018-04-10 08:43:36 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2018-04-05 08:52:46 +0000

Seen: 5,804 times

Last updated: Apr 10 '18

Related questions

Help with a TCP Reset Issue

There is no MSS replied in SYN,ACK

Why my server does not respond to client's [SYN]?

frame 1 [syn] -> frame 2 [rst, ack] on port 25 of remote server

Communication keeps on restarting between Source and Client, noticed RST, ACK.

Download Request failure, Client Machine sending FIN, ACK - [RESOLVED]

Windows Client keeps generating DHCP request

Printer sending RST, ACK to computer continuously without pending job

TCP SYN replied immediately by RST after successful session

How to Capture network data between two virtual machines

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2