主題: ESXi Guest跑sniffer....

[cmwang]

鵝前幾天在user的Guest上跑sniffer,原本只是要觀察自己的traffic的,卻意外發現如果開了promiscous mode,sniffer竟然可以看到同個Virtual Switch上別人的Unicast traffic(i.e. source/destination都不是該Guest,而且也不是broadcast/multicast的traffic ),照說Virtual Switch既然字面上叫Switch,應該就不會有此類特異功能,而且Virtual Switch既然是virtual出來的,原理上應該是靠Hypervisor判斷須要往哪個Guest forward,才往那個Guest forward,不太可能像Hub一樣統統有獎,那為啥會看到別人的traffic呢,不知有沒有朋友遇過類似的狀況啊 ....

[netman]

promiscous mode  只有 host 管理員才可以打開吧，那也算合理。

[cmwang]

promiscous mode  只有 host 管理員才可以打開吧，那也算合理。

不好意思,鵝沒說清楚,Host是user的,鵝只有Guest的權限,並沒有Hypervisor的權限,此處說的promiscous mode是指guest跑sniffer時開promiscous mode(i.e. tcpdump或wireshark的default值),並不是對vSwitch開promiscous mode,就是這樣才會讓鵝驚訝啊 ....BTW,VMware的knowledge base是這麼寫的....

By default, a guest operating system's virtual network adapter only receives frames that are meant for it. Placing the guest's network adapter in promiscuous mode causes it to receive all frames passed on the virtual switch that are allowed under the VLAN policy for the associated portgroup. This can be useful for intrusion detection monitoring or if a sniffer needs to analyze all traffic on the network segment.

一般認知中,實體switch只會把traffic往須要的port forward,除非開了port mirror,另一端的NIC就算開了promiscous mode也看不到別人的unicast traffic,但根據VMware的knowledge base,只要Guest的NIC進入promiscous mode,vSwitch就會把所有traffic forward過去(類似port mirror),這似乎不太合理(除非能關掉,或是default的行為模式應該相反 ),因為Host的管理者未必知道Guest上的AP在幹啥,如果按照目前看到的行為模式,那vSwitch應該改叫vHub才比較符合一般的認知吧 ....