Tuesday, 3 April 2012

Using a Network Packet Analyzer on a VMware vSphere Virtual Network

Using a Network Packet Analyzer on a VMware vSphere Virtual Network

Whether you are a server, network, or VMware Admin, a common tool for analyzing network issues is a protocol analyzer (also called packet analyzer or "sniffer"). These software applications analyze network traffic in real-time to allow you to view the packets traversing a network. These tools will tell you what network device is creating the most traffic on the network, what protocols are most being used on the network, who is talking to who on the LAN, and if there are network errors. If packets are being sent in clear-text, you can even decode that text to see things like passwords.

Why you need Promiscuous Mode

Network switches use a forwarding table (CAM table on a Cisco switch) to track what Ethernet devices are on what Ethernet port, and only send traffic destined for those devices out that port. By default, protocol analyzers will only see traffic sent from or to the computer they are running on. Very likely, that isn't going to help you to troubleshoot the network, so the common procedure is to perform "port mirroring" or configure "port spanning" (SPAN or RSPAN). This copies all traffic going to or from a particular port (or group of ports or list of VLANs) to a destination port. Then, you would analyze that port with your protocol analyzer.

Promiscuous Mode on the Virtual Network

But what happens when the network is virtual? Don't worry, this same process can also be performed on a virtual switch, allowing you to see all traffic traversing a virtual switch or vDS. What you would do is to run a protocol analyzer like Wireshark (free edition) inside a virtual machine and then configure the port group where the VM is connected to be in promiscuous mode, like this:
vSphere Promiscuous Mode
Once promiscuous mode is configured on the vSwitch, that carries down to the port groups in that vSwitch. Now, every port in the VM port group will see the traffic traversing the vSwitch (being sent to and from the VMs on the vSwitch). And suddenly, your Wireshark protocol analyzer will begin to see all traffic from all other VMs, allowing you to analyze the traffic on the vNetwork (as you see below).
Wireshark on vSphere
Think about it, you are analyzing the virtual network at zero cost after tweaking just one vSphere virtual switch setting and installing your protocol analyzer on a VM connected to that vSwitch.

Reasons to Analyze the Virtual Network

Why would you want to analyze the virtual network? Really, the reasons to analyze the virtual network are typically the same reasons you would analyze the physical network. Here are some reasons I have analyzed the virtual network in the past:
  • Identify the VM that is over utilizing network bandwidth, causing slowdowns on the virtual (or physical) network
  • Find PCs that are infected with worms or viruses
  • Troubleshoot malfunctioning network services (DHCP or DNS maybe) or network applications
  • Prove that the network is NOT the cause of a problem
  • Sniff the network for malicious or unwanted traffic
  • and much more...

Tools & Resources to Help you Analyze the Virtual Network

Many of the same tools you use to analyze the physical network can be used to monitor the virtual network but there are a few additions.

Xangati for ESX Server

No comments:

Post a Comment