Ask Your Question

Capturing traffic on the network or just the VM?

asked 2021-11-27 14:54:27 +0000

Mr.Schark gravatar image

updated 2021-11-27 21:27:59 +0000

Guy Harris gravatar image

Hello all. I'm working on a network project and I have been assigned the task of monitoring network traffic via Wireshark. My team and I have set up various VM's that function as servers. We have a Windows based VM Domain Controller server that handles our DNS, DHCP and Active Directory. We each have our own personal VM servers and a few end user devices that we will be utilizing to work on our individual side features. It is my task to use a dedicated VM/Server with multiple nics to continuously capture the network traffic via Wireshark and utilize Wireshark for troubleshooting and optimization. Basically what I would like to know is, if I am running Wireshark on a dedicated server connected to the network, am I capturing all network traffic? Or am I just capturing the traffic on this particular machine? If I am only capturing the traffic on the server running Wireshark, how do I go about capturing all network traffic? My apologies if this is a silly question but I am still a novice.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2021-11-27 20:01:04 +0000

BigFatCat gravatar image

It can work with limitations and the correct software. By default, VM server only sees traffic for its virtual MAC address and multicast. If your VM box supports a VM switch, then it is possible to mirror traffic to another port in the same box. I would try performance and malware software to determine what needs to be capture. If is a requirement to capture all network traffic, then a dedicated network appliance is a better option.

Some limitations

  1. Packet drops when the aggregate traffic exceeds the VM server port. An example of aggregate traffic issue is a 1G ingress/egress mirror. A 1G full duplex is simultaneous 1G ingress and 1G egress or 2G. The 2G aggregate traffic will never fit a 1G target port. Either two 1G target ports or 10G target port.
  2. VM server will need to be able capture and write traffic a port speed to a file. If it can't then packets will be dropped.
  3. File storage. There will be Terabytes of data.
edit flag offensive delete link more


So, I have a dedicated VM that is meant for capturing packets as stated in the post. How do I capture all packets on this network using this VM without crashing the machine? What do you mean by dedicated appliance? Running Wireshark to capture all network traffic is a requirement for this project.

Mr.Schark gravatar imageMr.Schark ( 2021-11-27 23:45:45 +0000 )edit

Is there anyone on this forum who is capable of explaining what I need to do to fulfill the requirements that I have stated in the post? I need somebody who is capable of explaining this current scenario in terms that a beginner can understand. I have yet to encounter a single person on this forum who isn't socially inept.

Mr.Schark gravatar imageMr.Schark ( 2021-11-28 17:11:35 +0000 )edit
  1. It is possible to verify mirror ports or copy traffic to the Wireshark server. It is necessary to have a virtual switch or similar function. You will be able to mirror traffic to your Wireshark server with the virtual switch. It's similar to span port on a physical switch.
  2. Proof-Of-Concept. Passed/Failed. Validate mirror ports are functioning. To copy traffic to the Wireshark server, you have to create the mirror ports. Start pings on all the servers. All the traffic should be captured by the Wireshark server. Stop the capture and verify the results of the ping in the Wireshark server. The packet capture ping results should match the servers.
  3. Validation test. Passed/Failed. When there is a load on the network, the Wireshark server is able to capture all the traffic. All the servers should begin bi-directional file transfers. I recommend that you use file transfer software that ...
BigFatCat gravatar imageBigFatCat ( 2021-11-28 23:12:23 +0000 )edit

Thanks for the info I am currently looking into this...Is it possible to use a Windows based server for this situation or would it be better to use a Linux based machine to run Wireshark? Also, what file transfer software that utilizes TCP do you recommend using for the bi-directional transfers?

Mr.Schark gravatar imageMr.Schark ( 2021-11-29 06:40:36 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2021-11-27 14:54:27 +0000

Seen: 3,181 times

Last updated: Nov 27 '21