Collision Resistant Hash Function: Creating a Port Mirror / SPAN port on VMWare ESXi 5.1

This post will show how to get a port mirror, or span port, working on VMWare ESXi 5.1. This will be helpful with troubleshooting, and will be used for another post.

Step 1:
Add the port group to the vswitch. Select the esxi host, click on the "Configuration" tab, and click on "Networking". Click on "Add Networking...", choose "Virtual Machine", choose "Use vswitch0", change the network label to "SPAN", and choose all of the vlans. The network should now look like this.

Step 2:
Edit the vswitch properties. Click the "Properties..." link for vswitch0. Click on "Edit..." for the vswitch. On the "Security" tab, change "Promiscuous Mode" to "Accept".

Step 3:
Edit the port group properties. In the same dialog for vswitch0 properties, select "SPAN" and click "Edit...". Go to the security tab and enable "Promiscuous Mode".

Go to the "Traffic Shaping" tab and mark the status disabled checkbox.

Step 4:
Add a nic to a machine to listen in on the span port group.

Step 5:
Verify functionality. This is the output of a tcpdump on the new interface in the SPAN port group, which is able to see management network traffic as well as production traffic, and can now be used as a central point for IDS, analysis, troubleshooting, etc.

15:18:07.033540 IP 192.168.1.13 > 192.168.1.10: ICMP echo request, id 23559, seq 42, length 64
15:18:07.033608 IP 192.168.1.10 > 192.168.1.13: ICMP echo reply, id 23559, seq 42, length 64
15:18:08.034594 IP 192.168.1.13 > 192.168.1.10: ICMP echo request, id 23559, seq 43, length 64
15:18:08.034651 IP 192.168.1.10 > 192.168.1.13: ICMP echo reply, id 23559, seq 43, length 64
15:18:09.035933 IP 192.168.1.13 > 192.168.1.10: ICMP echo request, id 23559, seq 44, length 64
15:18:09.036028 IP 192.168.1.10 > 192.168.1.13: ICMP echo reply, id 23559, seq 44, length 64
15:18:10.036544 IP 192.168.1.13 > 192.168.1.10: ICMP echo request, id 23559, seq 45, length 64
15:18:10.036597 IP 192.168.1.10 > 192.168.1.13: ICMP echo reply, id 23559, seq 45, length 64
15:18:11.037510 IP 192.168.1.13 > 192.168.1.10: ICMP echo request, id 23559, seq 46, length 64
15:18:11.037566 IP 192.168.1.10 > 192.168.1.13: ICMP echo reply, id 23559, seq 46, length 64
15:19:44.850525 IP 172.16.0.13 > 172.16.0.10: ICMP echo request, id 24071, seq 1, length 64
15:19:44.850726 IP 172.16.0.10 > 172.16.0.13: ICMP echo reply, id 24071, seq 1, length 64
15:19:45.851507 IP 172.16.0.13 > 172.16.0.10: ICMP echo request, id 24071, seq 2, length 64
15:19:45.851686 IP 172.16.0.10 > 172.16.0.13: ICMP echo reply, id 24071, seq 2, length 64
15:19:46.852256 IP 172.16.0.13 > 172.16.0.10: ICMP echo request, id 24071, seq 3, length 64
15:19:46.852385 IP 172.16.0.10 > 172.16.0.13: ICMP echo reply, id 24071, seq 3, length 64

Collision Resistant Hash Function

Pages

Tuesday, October 29, 2013

Creating a Port Mirror / SPAN port on VMWare ESXi 5.1

No comments:

Post a Comment