This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Order-of-operation

0

I am trying to solve a problem in an ESXi/XP environment. The VM is running XP and Wireshark, The host is running Solaris.

Wireshark shows a packet leaving the VM but the Solaris server never sees the packet, nor does the span port on the Cisco switch. The vendor of the VM installed an Intel driver and right now that is where our suspicions are focused. He will fix that today.

But the question I have is where does Wireshark 'pick-up' the packet, if it actually never leaves the Intel NIC? This information would be useful to know so I could confidently rule out the NIC in this case and in other cases too.

I am planning to install Cisco 1000V to test the virtual switch but was hoping someone knew of documentation of Wireshark/tcpdump/snoop order-of-operation.

asked 15 Dec '11, 07:24

ttpm's gravatar image

ttpm
1111
accept rate: 0%

I have a similar issue. Have you found a resolution to your issue yet?

(10 Jan '12, 11:40) jc931r

One Answer:

0

If I understand your question correctly you're running Wireshark inside the VM and capture the packet, but you do not see it outside the ESXi?

Wireshark picks up packets before it actually goes out onto the "wire" (or to the vSwitch of the ESXi, in this case), so seeing it in a capture done inside the VM does not mean it actually left it. You might want to enable promiscuous mode on the vSwitch and attach another VM with Wireshark running to see if the vSwitch got the packet at all (a vSwitch in promiscuous mode will forward all incoming packets to all ports, just like a hub does).

answered 15 Dec '11, 08:10

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%