Hyper-V NIC in promiscuous mode

Hello,
    Is there a way to setup a NIC in hyper-V or the Hyper-V virtual Swith to support promisuous mode for Web Filtering Software like websense?
Thank
ML

~
~
Victor, what you've posted is a description on how to monitor one VM's traffic on another VM inside the same Hyper-V, but what is needed, is to monitor traffic from some physical PCs on a VM, for example:
There are machines A, B, and the Hyper-V host machine, all connected to the same physical switch, like HP Procurve or some Cisco device, etc. We can setup port mirroring on that switch (SPAN), so that all the traffic between A and B would be mirrored to
the Hyper-V host machine port, and we even can monitor that traffic on the Hyper-V host. But what is needed, is to pass that mirrored traffic, coming from outside of Hyper-V to a guest virtual machine. Is there any way of doing that using the Hyper-V settings
or some 3rd party switch extensions?
~
~
https://blogs.technet.com/b/koalra/archive/2012/11/07/windows-server-2012-hyper-v-mirroring.aspx?Redirected=true
 =}
TechNet Blogs }} Ko Allah's White House ... }}  Windows
Server 2012 Hyper-V, port
monitoring (Mirroring)-based network
management
==
Seung Joo Baek
7 Nov 2012 1:25 AM                           
the physical ports the port mirroring. Windows Server 2012 R2 and capture driver
for my Hyper-V virtual switch extensions can be done through NDIS.
This can be enabled by the PowerShell, cmdlets are:
$a = Get-VMSystemSwitchExtensionPortFeature -FeatureId 776e0ba7-94a1-41c8-8f28-951f524251b5
$a.SettingData.MonitorMode = 2
add-VMSwitchExtensionPortFeature -ExternalPort -SwitchName name_of_the_switch -VMSwitchExtensionFeature $a
 Wouldn't that difficult?
Related switch expansion port of the NDIS,
the identity of the captured driver,
unplug the monitor mode 2 (port monitoring)
and, in addition to the external port related functions.
This involves a process, the external port is connected to a physical switch occurred on the VM in the packet will be monitored.
Not a physical port setting, VM-to-be a part of it, for the time when, if you look at it, never to get a glimpse of the classroom.
==
Plus:
TechNet Blogs»
Russian Windows Virtualization Discussion»
Hyper-V Port Mirroring – захват внешнего трафика с физического интерфейса
 =}
==
Alex A. Kibkalo
5nine Software
12 Mar 2014 8:27 PM
I  (
Alex A. Kibkalo )
was asked several times whether Hyper-V Configure Port Mirroring so that traffic from the physical interface on top of a virtual switch, the whole thing
went to the “LAN traffic mirroring” virtual machine for analysis. VMware is able do this, and Hyper-V Port Mirroring by default captures only traffic caught inside the
virtual switch-external traffic, of course, is not a particular VM, there simply is not.
While working in theMicrosoft
team, I had a conversation on the subject
Unfortunately, I do not remember with whom exactly :-(
The rare and is not documented. It was recently found a solution to this problem.
The following method works on nodes with Windows Server 2012 R2.
Windows Server 2012 update must be installed
2885541
So, you will need to Configure Port Mirroring Destination mode for the machine which will channel bandwidth.
For virtual switch is required to enable NDIS Capture.
As a traffic source configure the external port of the virtual switch with the help of PowerShell commands:
$a = Get-VMSystemSwitchExtensionPortFeature -Name “Ethernet Switch Port Security Settings”
$a.SettingData.MonitorMode = 2
add-VMSwitchExtensionPortFeature -ExternalPort –SwitchName v-switch_name -VMSwitchExtensionFeature $a
 I would be glad, if somebody will help.
==

Similar Messages

  • How to Set HyperV NIC in Promiscuous Mode

    Is there any way to set up a NIC on a virtual HyperV guest in promiscuous mode?
    I want to try and run a web filtering product on a VM. Wireshark does not indicate that it is capturing all traffic.
    I have my switch port mirrored already and it works with a regular box but not with the VM.
    Any help would be appreciated.
    Thanks,
    Andy

    I was able to make wireshark capture all the packets.
    I followed this post:
       http://fixmyitsystem.com/2013/08/Remote-Wireshark.html
    The only diference is that use and Internal Virtual Network  to connect from the
    guest to the host.
    My hyper-v host IP, for this network is 169.254.107.1 (check yours by doing ipconfig)
    and the Guest is 169.254.107.20
    Steps:
      - Just get rpcapd (http://nmap.org/dist/nmap-6.40-win32.zip).
      - Unzip it and install it on the hyper-v host
        Open PowerShell
        Enter-pssession Coremachine    
        Silently install: winpcap-nmap-4.02.exe /S
      - Next up you will have to create a firewall exception for
        this to be reachable from the management machine.
        netsh advfirewall firewall add rule name="Remote WinPcap" dir=in action=allow protocol=TCP localport=any remoteip=169.254.107.20
        (to turn on  the rule) netsh advfirewall firewall set rule name="Remote WinPcap" new enable=yes
        (to turn off the rule) netsh advfirewall firewall set rule name="Remote WinPcap" new enable=no
      - Navigate to C:\Program Files\WinPcap
        To start to packet capture service use
            .\rpcapd.exe -p 2002 -n
      - Get the GUID of the network card you want to use in WireShark  
          wmic nic where PhysicalAdapter="TRUE" get Description,GUID,MACAddress,Name,NetConnectionID
      - on wireshark
        Select Capture Options
        Click Manage Interfaces
        Select Local Interfaces tab and check the Hide box next to all of them
        Select remote Interfaces tab
        Click add button
        For the host specify the hostname or IP Address  
            (I use an internal network to conect to the host)
             My host IP is 169.254.107.1 and the Guest is 169.254.107.20
        The port default is 2002 (set with the -p switch earlier)
        Null authentication as set with the -n switch earlier
        OK
        You should now see a number of interfaces added
        Click Close
      - There will be a buffer size warning but it can be ignored, and hey presto,
        you are capturing packets from a remote  non GUI machine.  
        The process from here on in is the same as you would use WireShark with
        local traffic capture.

  • How to do I set Network (NIC) to promiscuous mode?

    I have a mid 2010 MacBook Pro .

    Mail
    "First letter capital" feature is not available in Mail.
    Word 2007
    http://office.microsoft.com/en-us/word-help/change-the-capitalization-of-text-HA 010210665.aspx

  • Using promiscuous mode to collect UDP data

    Is it possible to set a NIC in promiscuous mode and to pull all UDP data?
    I have created a VI to listen to data coming across a specific UDP port, this work perfect for one device when I specify the NIC IP address.
    My challenge is I have multiple devices with different IP addresses/networks, that I have to switch between. Every time I switch I need to reconfigure my NIC IP address to capture the data. I would like all data to pass through regardless of IP address. Does LabView support this?
    Thanks

    No, LabVIEW does not natively support a way to put a network interface into promiscuous mode and capture all traffic. You'll either need to use a packet sniffer like Wireshark to capture to a file, and then process it later, or use other libraries. A starting point might be http://zone.ni.com/devzone/cda/epd/p/id/2660

  • Does the Intel 82579LM NIC on the Portege R830 support Promiscuous mode?

    Hi,
    I've got a work laptop (Portege R830), which doesn't want to sniff packets. I've got it connected to a Netgear Hub (DS104), along with an older notebook, and then uplink to ADSL.
    Running a continuous ping to the default gateway and Wireshark on both devices and the other computer can see the pings from the Toshiba, but not vice-versa.
    The Toshiba is running as an Administrator account, has the Windows Firewall disabled, and my Symantec End Point Encryption disabled. I don't have any other AV to my knowledge.
    Does anyone have any ideas of services I should disable/enable, or knowledge of the features of this NIC?
    According to the Intel site "Yes, all currently marketed Intel PRO/100, Intel PRO/1000, Intel Gigabit, Intel PRO/10 Gigabit, and Intel 10 Gigabit adapters support Promiscuous mode. " But the Intel 82579 Gigabit Ethernet Controller is not in the list that follows on; http://www.intel.com/support/network/sb/CS-004185.htm?wapkw=%28promiscuous%29
    Thanks for your time.

    Usually the firewall or Internet Security software blocks pings so perhaps try uninstalling Symantec completely. Just disabling it may not disable everything.
    Another thing to try is use a Static IP Address instead of DHCP. Disabling IPv6 or installing a newer LAN driver from the Intel website may also help.

  • Does the apple thunderbolt to ethernet dongle support promiscuous mode ?

    Does the apple thunderbolt to ethernet dongle support promiscuous mode ?
    I need to use the new Retina MBP as a professional laptop for work, and I need to use Etherreal. Etherreal needs the Ethernet card/dongle/chip to run in Promiscuous mode. I have heard that unblivably the thunderbolt Ethernet dongle does not support this, if so then the laptop will not pick all the packets on the wire... is this true ?
    Regs Mark.

    Hi Clinton,
    Thanks for your reply, However the promiscuous mode function that I am after is a function of the Ethernet NIC hardware and driver not just the OS.
    Wireshark allows the user to put network interface controllers that support promiscuous mode into that mode, in order to see all traffic visible on that interface, not just traffic addressed to one of the interface's configured addresses and broadcast/multicast traffic.
    Anyone out there actually used/tested the thunderbolt Ethernet adapter to sniff traffic with wireshark (Ethereal), can you please  if it can run in promiscuous mode ?
    Thanks.

  • Configuring IDSM in promiscuous mode?

    Hello,
    I have two switch catalyst 6500 in VSS each with a IDSM module, I want monitor four VLANs three of them are vlans of users and one of servers, I am planning use VACLs to capture the traffic.
    My first quetion is how to configure the data ports of IDSM in promiscuous mode, if in the configuration guide say that by default the data ports are in promiscuous mode, so that means that I don't have to make any configuration in the data ports of IDSM?
    Second, if I have two switches 6500 in vss each with a IDSM module, I have to consider other configurations for this situation?
    The configuration of VACL that I will put is:
    ip access-list extended ACL_IPS
      permit ip any any
    vlan access-map VACL_IPS 10
      match ip address ACL_IPS
      action forward
    vlan filter VACL_IPS vlan-list 30 , 40 , 50 , 100
    intrusion-detection switch 1 module 4 data-port 1 capture allowed-vlan 30,40,50,100
    intrusion-detection switch 1 module 4 data-port 1 capture
    intrusion-detection switch 1 module 4 data-port 1 autostate include
    intrusion-detection switch 2 module 4 data-port 1 capture allowed-vlan 30,40,50,100
    intrusion-detection switch 2 module 4 data-port 1 capture
    intrusion-detection switch 2 module 4 data-port 1 autostate include
    Thanks for the help.

    The IDSM doesn;t need any special commands to inspect traffic in Promiscious mode.
    You'll want to put your IDSM management interfaces on a VLAN to talk with them:
    intrusion-detection module 4 management-port access-vlan 99
    Use the "forward capture" switch:
    vlan access-map VACL_IPS 10
      match ip address ACL_IPS
      action forward capture
    Get rid of the spaces between your VLAN numbers
    vlan filter VACL_IPS vlan-list 30,40,50,100
    If you put two IDSMs in teh same chassis you'll need to decide how to split traffic between them. You can assign different VLANs to each IDSM.
    - Bob

  • UCCX on VMWare needs ethernet promiscuous mode?

    Hello all,
    Just noticed something in the vmware host logs:
    2013-06-08T16:29:52.001Z cpu20:14694)etherswitch: L2Sec_EnforcePortCompliance:153: client ccx.eth0 requested promiscuous mode on port 0x4000024, disallowed by vswitch policy                
    And that's expected, because the default configuration of the vswitch denies ethernet promiscuous mode.
    Now the question is - does the virtual UCCX need promiscuous mode at all? I would expect to see it as a specific note in the documentation if it would. The docwici for UC on UCS is quite detailed and it get's bigger and bigger every day.
    I suppose the promiscuous mode is related somehow to call monitoring and recording, but is it really a requirement? I am using Desktop Based monitoring and recording. UCCX version 9.0.2.10000-71

    Hi,
    Please check your recording options.
    If it set not to spanless recording,you'll have allow promiscuous mode and rspan vlans.

  • Ethernet Card in promiscuous mode

    Hello,
    I have a Powerbook G4 15p (1.25GHz) and I want to capture network trafic on a cisco trunk port.
    It works fine but I have no informations concerning vlan tags : is it possible to configure the Ethernet driver in promiscuous mode ?
    Best Regards,
    Guillaume
    Edit : same problem as describe here : http://support.intel.com/support/network/sb/cs-005897.htm

    I was thinking of a network driver option : How can I know what sort of network chipset is on my powerbook ?
    If I look to /System/Library/Extensions/IONetworkingFamily.kext/Contents/PlugIns, I can see this :
    Apple3Com3C90x.kext AppleDP83816Ethernet.kext AppleRTL8139Ethernet.kext
    AppleBCM440XEthernet.kext AppleGMACEthernet.kext AppleRTL8169Ethernet.kext
    AppleBCM5701Ethernet.kext AppleIntel8254XEthernet.kext Apple_DEC21x4Ethernet.kext
    AppleBMacEthernet.kext AppleIntel8255x.kext
    and there is the possibility to update an xml config file on some driver modules
    Here is the result of my kextstat :
    34 3 0x2dd90000 0x1f000 0x1e000 com.apple.iokit.IONetworkingFamily (1.5.0) <6 5 4 3 2>
      Mac OS X (10.4.3)  

  • IDSM-2 - Promiscuous Mode

    I would like my IDSM-2 to run in a Promiscuous Mode ( and not INLINE mode)
    How can i configure it so that it works on the - " Block Nothing,Monitor Everything" principle.
    I need the blade to "Never" block the upstream devices like routers and Firewalls.
    By the way,how will the IDSM running in Promiscuous Mode even "know" of upstream routers and other network devices.
    Thanks !!!

    Hi,
    You can find how to configure IDSM-2 to run promiscuous mode here.
    http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df92.html#wp1030752
    From there, you can find IOS vs. CatOS configuration as well as SPAN vs. VACL.
    Once that is done, you can find configuration guide here regarding IPS software. I will list both CLI and IDM in case you prefer one over the other...
    CLI -
    http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df7d.html#wp1033699
    IDM -
    http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00804cf4c2.html#wp1031960
    In promiscuous mode, unless you configure blocking with blocking device, it will never block anything by default. Even with blocking, you can configure never-block addresses.
    CLI -
    http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df77.html#wp1031471
    IDM -
    http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00804d1374.html#wp1037905
    IDSM will not know about which is what (upstream routers and other network devices) unless you specify them in 'never block' or 'blocking devices'
    Thank you.
    Edward

  • Macbook pro (june 2010) airport promiscuous mode

    Hi all,
    For my network security course, I have to sniff a wireless network.
    Is it possible to put the airport extreme in promiscuous mode? When I use wireshark and select the "capture packets in promiscuous mode" I can only see my own traffic...Although when I check my "en1" status in ifconfig, I see that the "promisc" flag is set..strange
    I've put the wpa/psk password in wireshark so that's not the problem.
    So my final question is, does the promiscuous mode on airport extreme work on a 2010 macbook pro?

    flawlessnyc wrote:
    Of course it's my network and devices. And I'm interested in email accounts. As a parent . . . . well ya gotta be diligent.
    Look at the devices - how are they accessing the email?
    If it is via webmail in the browser (or a 'browser based' app) look for account setting to only use https. Some providers will only allow login via https which is secure, http is not secure, these can usually be 'forced' with account settings.
    When logged in does the website remain on https, if it goes to http instead the email content could be visible on that network. Bookmark the https url for the child, and remove any http urls for the same site so they are less likely to use http by accident. Explain to the kids why the 'green lock' in the address bar (indicates https) is important for reading email or any other 'private' data.
    Do the same with search engines (so their searches may be 'invisible' to the local network).
    If they are using an email client like Apple Mail check the settings again for each mail server, there are options to only use the specific server, and only use secure protocols (SSL,TLS…). That should prevent the mail being sent in plain text across the network, however email is inherently insecure as a service (it bounces from mail server to mail server with to & from addresses visible) so the kids may be better off using iMessage or another chat service that has some level of encryption / privacy.
    You can try viewing the network traffic to find passwords for these services, but it is very involved…
    Monitor in promiscous mode on the same wifi channel as the network.
    Decrypt the wifi traffic (you need the network key for this since wifi itself is encrypted (WEP, WPA, WPA2 etc)
    Look for the email traffic & recombine the packets to follow the conversation, but you still cannot read https traffic.
    All you will be able to find is passwords or form values for websites that do not use https.
    There are other things they should be careful with - like avoiding unknown/ open/ free wifi networks. Even cellular towers can be malicious nowadays, so disabling cellular data could help them be a little more secure. They should also avoid accepting certificates or 'profiles' to connect to any network.
    I'm not sure that watching packets in the air will get you better results any quicker that learning how to secure the settings on each device, pass on the info to the kids & eventually they will start to get it
    P.S
    You may be able to lock settings via parental controls. iOS has 'restrictions' within the Settings app. Just use them carefully otherwise they will nag you about being unable to take a photo or use maps etc!

  • Enable monitor/promiscuous mode on Cisco Atheros AR5001X+

    I have a Cisco Aironet Atheros AR5001X+ wireless card installed on an HP laptop running Ubuntu 8.10. The card is working and I would like to know how to enable monitor/promiscuous mode on it so that I can use wireshark to capture network traffic at work. I would also like to know if I can enable the card in monitor/promiscuous mode in Windows XP and how? Any help would be appreciated, thanks.

    in a console window:
    sudo ifconfig ath0 PROMISC
    password:
    it should be ath0 for an atheros chip, but may be wlan0 or something else
    you will need to install Winpcap for windows
    http://www.winpcap.org/')">http://www.winpcap.org/

  • Configuring IDSM-2 Promiscuous Mode with MLS IP IDS

    I am having a problem configuring promiscuous mode with an IDSM-2 running 5.0(3)S181.0 in a 6509 with Sup 720 running IOS 12.2(18)SXD4. I am running router interfaces without VLANs so I have created an extended access list with a 'permit ip any any' and configured this on my interfaces with 'mls ip ids access-list-name'. I configured 'intrusion-detection module x data-port 1 capture' and 'intrusion-detection module x data-port 2 capture', and because of the caution note on page 14-12 of 78-16127-01 I also configured 'intrusion-detection module x data-port 1 capture allowed-vlan 1-4094' and 'intrusion-detection module x data-port 2 capture allowed-vlan 1-4094'. After that I can see the output counters rising in 'show 'intrusion-detection module x data-port 1 traffic' and 'show 'intrusion-detection module x data-port 2 traffic'. I can configure the IDSM-2 using the VMS management center, and I added my sensor to security monitor and set the level down to informational, but I don't even see any events or even the start-up informational message. Anyone have any idea what I missed?

    Here is a document on Configuring the Catalyst Series 6500 Switch for IDSM-2 in Promiscuous Mode.
    http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_configuration_guide_chapter09186a0080459221.html#wp1030752

  • Configuring 4255 sensor in promiscuous mode

    I have a 4255 with 3 interfaces that connect to a 6500 series switch. The IPS interfaces are set to promiscuous mode with a defualt vlan specified.
    On the switch side, I would like to send the traffic from more than one vlan to the sensor GE interfaces. What is the best way to do this?
    Do I set up a monitor session on the switch with a source of multiple vlans, then set the destination as one of the sensor ports?
    I also see the option to do a switchport capture.
    Any advice would be great

    You want to do a VACL capture on the 6500:
    http://www.cisco.com/c/en/us/support/docs/lan-switching/vlan-access-lists-vacls/89962-vacl-capture.html
    monitor session 50 source vlan 100 , 200
    monitor session 50 destination interface Fa3/30

  • Windows Server 2012 R2 - Hyper-V NIC Teaming Issue

    Hi All,
    I have cluster windows server 2012 R2 with hyper-v role installed. I have an issue with one of my windows 2012 R2 hyper-v host. 
    The virtual machine network adapter show status connected but it stop transmit data, so the vm that using that NIC cannot connect to external network.
    The virtual machine network adapter using Teamed NIC, with this configuration:
    Teaming Mode : Switch Independent
    Load Balance Algorithm : Hyper-V Port
    NIC Adapter : Broadcom 5720 Quad Port 1Gbps
    I already using the latest NIC driver from broadcom.
    I found a little trick for this issue by disable one of the teamed NIC, but it will happen again.
    Anyone have the same issue with me, and any workaround for this issue?
    Please Advise
    Thanks,

    Hi epenx,
    Thanks for the information .
    Best Regards,
    Elton Ji
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

Maybe you are looking for