Sunday, August 18, 2013

Hyper-V Port Mirroring and Network Capture

Introduction

Hyper-V port mirroring, introduced in Windows Server 2012, allows you to easily monitor traffic on virtual machines without having to capture the traffic directly on that VM. It's exactly the same thing as standard port mirroring, only we're doing it using a virtual switch rather than a physical one. You can use this in your Hyper-V environment for all sorts of network troubleshooting. It only takes a couple of minutes to setup, so let's do it and then capture some packets!

Assumptions

  • Administrative Access to 2012 Hyper-V Host/Cluster
  • At least one vSwitch already configured (though we'll cover multiple)
  • At least two VMs configured; one to monitor and one to collect the data

Set Up Port Mirroring (GUI)


Configure Machine to be Mirrored

  1. Open the Hyper-V Manager
  2. Right click the machine that you would like to capture from and select "Settings".


  3. Expand the properties of the NIC (Network Interface Card) you would like to mirror by clicking the plus sign to its left and click "Advanced Features". 
  4. Under "Port mirroring"->"Mirroring Mode" click the drop down and select "Source". This sets this NIC as the source of mirroring on the Hyper-V switch it is connected to.


  5. Make note of the vSwitch the NIC is connected to (right below "Network Adapter") and click "OK".

Configure the Mirror Target


It makes setting up a network capture substantially easier if you add a dedicated NIC for each source machine. This NIC must be on the same virtual switch. A dedicated NIC allows unbinding all services/protocols in the guest OS, which will facilitate an entirely clean capture. More on that below...

  1. Shut down the virtual machine you intend on being the target of the network capture.
  2. After shutdown, right click that machine and select "Settings".
  3. Under "Add Hardware" in the right hand plane select "Network Adapter" and click "Add".
  4. The network adapter properties page for the new NIC will come up. Under "Virtual switch:" select the same switch that the source machine/NIC is connected to.
  5. Expand the properties of the new NIC and select "Advanced Features".
  6. Under "Port mirroring"->"Mirroring Mode" click the drop down and select "Destination". This sets this NIC as the source of mirroring on the Hyper-V switch it is connected to. Click "OK".


  7. Start the VM back up.

Configure the Mirror NIC in Capturing VM OS


Note: The instructions for this portion are somewhat generic because your guest OS on the capturing VM may differ from mine.

  1. After the capturing VM starts back up, log on via RDP or otherwise.
  2. Open your network connections and determine which NIC is the added one for mirroring. Rename it something like "{VSwitchName} Port Mirror" for easy identification.
  3. Open the properties of that NIC.
  4. Un-bind all protocols and services from that NIC and click "OK". By removing all bindings we'll be able to ensure a clean capture without interfering with the existing network connection. None of the standard protocols or services are used in the mirror process; Hyper-V takes care of everything for you. If you already have your network sniffing software installed, you may need to reboot the capture machine in order to see the NIC.


Install and Use Packet Capture Software


I'll be using Wireshark for Windows; if desired you could substitute something like Microsoft Network Monitor or Microsoft Message Analyzer on Windows; Wireshark or tcpdump on Linux. 

  1. Download and install Wireshark. The portable version works just as well if you prefer.
  2. Open Wireshark and click the "Interface List" button on the upper left hand corner.


  3. Select the dedicated capture NIC (which we renamed earlier), ensure it is the only selected, and click "Start".


  4. Enjoy all your packets.

Powershell Commands for NIC Setup/Mirroring

Caveats

  • You won't be able to decrypt encrypted packets unless you get the private key from the target server for decryption, which obviously may be a security issue given we're not on that machine.
  • Make sure you de-config (new word!) the port mirroring in HyperV when you're done as the packet replication continues even if you're not capturing.
  • After unbinding all services/protocols in Windows the adapter won't appear in the "Network and Sharing Center" anymore. You'll have to click "Change adapter settings" to get to the NIC.

More Reading



That's it, easy eh? Questions/Comments, leave 'em below!

2 comments:

Jason Godfrey said...

does this capture all the traffic on the switch or just the traffic hitting that particular vmnic?

Toby Meyer said...

Hey Jason!

Good question, I just ran some tests to confirm... it will capture any VMNIC on that switch with the advanced options set to "Source". If you only have one VMNIC setup as "Source" then only that will be captured, but there is nothing stopping one from doing this with multiple adapters at the same time. Another reason to ensure that when done with a cap one should remember to remove the source setting.

Thanks!