none
How to Set HyperV NIC in Promiscuous Mode RRS feed

  • Question

  • Is there any way to set up a NIC on a virtual HyperV guest in promiscuous mode?
    I want to try and run a web filtering product on a VM. Wireshark does not indicate that it is capturing all traffic.
    I have my switch port mirrored already and it works with a regular box but not with the VM.

    Any help would be appreciated.

    Thanks,

    Andy
    Thursday, August 21, 2008 9:11 PM

Answers

  • They are where your Hyper-V VM configurations are stored.  They are named as a GUID with an extension of .xml

    To see that storage location, go into server manager, go to the Hyper-V role and then the desired server instance.  From the action tool bar on the right ide, choose "Hyper-V Settings".  Under server on the left side of the ensuing dialog box, select the "virtual machines" line and that will provide you with the default location where these XML configs are being created.


    - Wayne S. Anderson MCITP, MCSE, MCT http://blog.avanadeadvisor.com/blogs/waynea
    • Edited by Wayne S. Anderson Friday, August 22, 2008 9:13 PM Added directions
    • Marked as answer by Chang Yin Monday, September 1, 2008 2:20 AM
    Friday, August 22, 2008 9:11 PM

All replies

  • The virtual switches on Hyper-V act like they have per-port switching, hence you wont see all of the traffic accross the system.  This enhances security in a virtual environment.  As a result, your VM is only seeing broadcast traffic, and traffic which is bound for it.
     
    I do not know if this feature is supported on Hyper-V yet or not, but here is something you might be able to try.

    In Virtual Server 2005 R2 SP1, you could manually add a line to the configuration file that would allow this. 
    Open the XML file for your VM.

    I am not sure where best to try this.  The first place I would suggest is under the <global_settings> node.  Add the line:

    <allow_promiscuous_mode type="boolean">TRUE</allow_promiscuous_mode>

    If that does not work, remove the line from the global settings node and add it back under the node for the appropriate ethernet card that you would like to attempt to use this setting on.

    Again, I do not know if this is a supported config item in Hyper-V, definitely let me know if it works.
    - Wayne S. Anderson MCITP, MCSE, MCT http://blog.avanadeadvisor.com/blogs/waynea
    Friday, August 22, 2008 2:36 PM
  • Thanks for the feedback Wayne.
    I'm not exactly sure where to find the location of the XML files. I looked in the folder where the VHDs are stored but did not see any XML files? Is it possible that Hyper-v does not use them like Virtual Server 2005?
    Friday, August 22, 2008 7:46 PM
  • They are where your Hyper-V VM configurations are stored.  They are named as a GUID with an extension of .xml

    To see that storage location, go into server manager, go to the Hyper-V role and then the desired server instance.  From the action tool bar on the right ide, choose "Hyper-V Settings".  Under server on the left side of the ensuing dialog box, select the "virtual machines" line and that will provide you with the default location where these XML configs are being created.


    - Wayne S. Anderson MCITP, MCSE, MCT http://blog.avanadeadvisor.com/blogs/waynea
    • Edited by Wayne S. Anderson Friday, August 22, 2008 9:13 PM Added directions
    • Marked as answer by Chang Yin Monday, September 1, 2008 2:20 AM
    Friday, August 22, 2008 9:11 PM
  • Thanks for info.
    I gave it a go and copied the line into the XML file I tried both under Global Settings and under the appropriate Ethernet card. Unfortunately neither seemed to fix the issue. It does not appear to be supported.

    Thanks again for the suggestions.
    • Proposed as answer by CCC Techie Wednesday, December 10, 2008 5:03 PM
    Monday, August 25, 2008 4:27 PM
  • Hi,
    i have a problem with websense because in don't know where i can set e promiscued mode on hyper-v.

    I have a server w2k8 with one nic on this server i have install hyper-v and i have create a vitual network.

    Is possible to configure the virtual network in promiscued mode? how?

    Many tks for help
    Tuesday, December 2, 2008 1:45 PM
  • hi lemom75

    I have the same problem with websense over w2k8 and promiscuous mode.
    Did you finally find out what to do about it?

    I couldn't find anything related to configure w2k8 hyper-V virtual network in promiscuous mode.

    Also, Did you ask for help to Websense on this?

    Regards,
    Manuel Godoy


    Manuel Godoy
    Thursday, August 20, 2009 3:13 PM
  • Hi

    Has anyone ahd any success with this yet, we are using Hyper-V R2 but have to retain a VMware box because it supports promiscuous mode. Are there plans to support this in the up and coming support pack?

    I'd like to get rid of the VMware stuff and only have Hyper-V.

     

    Many Thanks

    Tuesday, September 14, 2010 9:04 AM
  • There is no UI for doing this. But there is an OID for doing it programmatically.

     

    OID_GEN_CURRENT_PACKET_FILTER

    http://msdn.microsoft.com/en-us/library/bb648512.aspx

     

    However, it doesn’t really matter because the primary benefit of promiscuous mode is to capture traffic not destined for the computer. Since the Virtual network is connected to a virtual switch, the traffic is directed at the switch to the port that has the destination. The virtual switch acts as a normal switch in which each port is its own collision domain. This prevents the machine from “seeing” all of the network traffic crossing the switch, even in promiscuous mode, because the traffic is never sent to that switch port if it is not the destination of the unicast traffic. Broadcast and multicast traffic will be sent out all ports. The machine will always pick up broadcast traffic and promiscuous mode can help you pick up the multicast traffic. But for TCP traffic, in a switched network, promiscuous mode isn’t going to help much.

    Source http://social.technet.microsoft.com/Forums/en-US/winserverhyperv/thread/a3c0e8fa-976c-4100-88d7-ceba517d23aa

     

    Hyper-V does not support promiscuous mode at all on its virtual interfaces so far!

     

    Tuesday, September 14, 2010 9:33 AM
  • I was able to make wireshark capture all the packets.

    I followed this post:
       http://fixmyitsystem.com/2013/08/Remote-Wireshark.html

    The only diference is that use and Internal Virtual Network  to connect from the
    guest to the host.

    My hyper-v host IP, for this network is 169.254.107.1 (check yours by doing ipconfig)
    and the Guest is 169.254.107.20


    Steps:
      - Just get rpcapd (http://nmap.org/dist/nmap-6.40-win32.zip).
     
      - Unzip it and install it on the hyper-v host
        Open PowerShell
        Enter-pssession Coremachine    
        Silently install: winpcap-nmap-4.02.exe /S

      - Next up you will have to create a firewall exception for
        this to be reachable from the management machine.
        
        netsh advfirewall firewall add rule name="Remote WinPcap" dir=in action=allow protocol=TCP localport=any remoteip=169.254.107.20
        (to turn on  the rule) netsh advfirewall firewall set rule name="Remote WinPcap" new enable=yes
        (to turn off the rule) netsh advfirewall firewall set rule name="Remote WinPcap" new enable=no


      - Navigate to C:\Program Files\WinPcap
        To start to packet capture service use
            .\rpcapd.exe -p 2002 -n

      - Get the GUID of the network card you want to use in WireShark  
          wmic nic where PhysicalAdapter="TRUE" get Description,GUID,MACAddress,Name,NetConnectionID
          
      - on wireshark
        Select Capture Options
        Click Manage Interfaces
        Select Local Interfaces tab and check the Hide box next to all of them
        Select remote Interfaces tab
        Click add button
        For the host specify the hostname or IP Address  
            (I use an internal network to conect to the host)
             My host IP is 169.254.107.1 and the Guest is 169.254.107.20
        The port default is 2002 (set with the -p switch earlier)
        Null authentication as set with the -n switch earlier
        OK
        You should now see a number of interfaces added
        Click Close

      - There will be a buffer size warning but it can be ignored, and hey presto,
        you are capturing packets from a remote  non GUI machine.  
        The process from here on in is the same as you would use WireShark with
        local traffic capture.
        
                    
    Wednesday, November 20, 2013 11:58 PM

  • I looked for other solutions to get all the traffic from a Network Adapter
     from the host into an adapter in the Guest OS:

      - I tried to bridge the physical adapter with the Internal one but because
        I have Hyper-V Core 2012 I don't know how to do it.

        Does anyone know how can I bridge 2 network adapters in Hyper-V Core 2012 ?
        I did not find any powershell command that allows me to do that.
       
      - Because I have other programs (apart from wireshark) that are NOT able to
        read from:
          rpcap://[169.254.107.1]:2002/\Device\NPF_{AE604A80-FD39-49D3-8 ....
        I tried to find a tool that would copy all the trafic from one interface
        to the other. tcpreplay  tcpcopy bittwist, but until now I was not able to
        make it work.
        If someone know how can I do this ? let me know .
              
    Any other tips are welcomed.
    Thanks,

    Pedro      
    • Proposed as answer by PeterSnows Thursday, August 28, 2014 3:51 PM
    • Unproposed as answer by PeterSnows Thursday, August 28, 2014 3:51 PM
    Thursday, November 21, 2013 1:19 AM
  • I got it working.
    I can now use Wireshark to sniff all the traffic that the physical NIC captures.

    By doing this:

    1. Add a VMSwicth Port Feature with the attribute (SettingData.MonitorMode = 2)
      $A=Get-VMSystemSwitchExtensionPortFeature -FeatureName "Ethernet Switch Port Security Settings"

      (OR $A = Get-VMSystemSwitchExtensionPortFeature -FeatureId 776e0ba7-94a1-41c8-8f28-951f524251b5)
      $A.SettingData.MonitorMode = 2

      Add-VMSwitchExtensionPortFeature -ExternalPort -SwitchName LAN2 -VMSwitchExtensionFeature $A
      ( I used
      GET-VMSwitch, to get the vswitch name, LAN2 is my virtual switch name
      Get-VMSwitchExtensionPortFeature -ExternalPort -SwitchName LAN2 –FeatureName "Ethernet Switch Port Security Settings", to know if the port feature was added)
    2. Change the PortMirroring attribute of the VM Networkdevice (this can be done using the GUI)
      Get-VMNetworkAdapter  -VMName 06_WinXPMonitor | ? MacAddress -eq '00155D016612' | Set-VMNetworkAdapter -PortMirroring Destination
      (I used
      Get-VM, to know my VMName (06_WinXPMonitor)
      Get-VMNetworkAdapter -VMName 06_WinXPMonitor, to know the MAC address of my adapter (00155D016612)
      Get-VMNetworkAdapter –VMName 06_WinXPMonitor | ? MacAddress -eq '00155D016612' | format-list *, to check if it changed correctly)

    Links:
    Hyper-V NIC in promiscuous mode - (Where I got my answer from)

    Windows Server 2012 Hyper-V Mirroring (Where I got more information)

    Windows Server 2012 Hyper-V Mirroring (translated)



    • Proposed as answer by PeterSnows Thursday, August 28, 2014 4:28 PM
    • Edited by PeterSnows Friday, August 29, 2014 7:23 AM
    Thursday, August 28, 2014 4:23 PM
  • Hi, I've been looking at this issue as well and ended up writing a PowerShell module to enable promiscuous mode on external and internal vswitch host ports, due to the Hyper-V PowerShell cmdlets limitations:

    https://github.com/cloudbase/unattended-setup-scripts/blob/master/VMSwitchPortMonitorMode.psm1 

    Basic usage example:

    Import-Module .\VMSwitchPortMonitorMode.psm1
    Set-VMSwitchPortMonitorMode -SwitchName MySwitch -MonitorMode Source

    To get the current port monitoring mode for a switch: 

    Get-VMSwitchPortMonitorMode -SwitchName MySwitch

    Here's a blog post with more details

    http://www.cloudbase.it/hyper-v-promiscuous-mode/


    Saturday, September 27, 2014 3:55 PM
  • Hello folks,

    This is to confirm that Websense VM can be deployed inside Hyper-V virtual machine and support promiscuous mode for Web Filtering!

    You can find all details below:

    http://charbelnemnom.com/2015/01/how-to-deploy-websense-in-stand-alone-mode-on-a-hyper-v-virtual-machine-hyperv-websense/

    Hope this helps.

     

    Regards,

    Charbel Nemnom

    MCSE, MCS, MCSA, MCP, MVP

    Blog: www.charbelnemnom.com


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Thursday, January 15, 2015 7:02 PM