Traffic between VirtualBox guests not showing up in tcpdump

9

0

I have a test environment setup with 4 VirtualBox guests running CentOS 6. Each has one network device attached to a bridged adapter, which is my primary network connection on my PC, with a static IP address (ranging from 192.168.2.95-98) accessible by any device on my network.

Sometimes I need to be able to analyze packets for one reason or another. At first, I just SSH'ed into my router and used tcpdump to capture all packets from the guests. Well, it's not working as planned...

The only packets that show up using tcpdump is traffic between 98 and other devices on my network besides guests. 98 is the only guest that communicates to other devices on my network (besides SSH traffic); the rest communicate with other guests.

I started out filtering tcpdump by host for each of the guest IP addresses. I ended up stripping it all the way down to dumping everything. Since all the packets go through the network adapter on my PC, I captured all the packets for that card with still no success!

VirtualBox mangles, injects, and removes packets on the adapter when using bridged networking. If the packet is to go to another guest, does VirtualBox keep the packet and forward it on to the appropriate guest? If so, how can I capture those packets?

Logan Bibby

Posted 2012-12-26T21:16:10.830

Reputation: 193

What OS is your host computer? – heavyd – 2012-12-26T21:45:38.720

And does tcpdump (or other packet sniffer) on your host show any traffic? I would guess your host OS / VirtualBox are smart enough to not actually send packets to your router only to have them come right back on the same interface. – Goyuix – 2012-12-26T21:53:55.663

@heavyd - it's Windows 7. – Logan Bibby – 2012-12-26T21:59:42.327

@Goyuix - That's why I captured all the packets on the card. It shows the same thing as the dump from my router. If it does keep the packets, where can I find them? – Logan Bibby – 2012-12-26T22:01:44.450

Answers

6

When you use VirtualBox's bridged networking mode the VirtualBox acts like a virtual switch between your host computer's physical interface and the virtual network. The packets traveling between computers on the virtual network never get to a point in the host networking stack where tcpdump can pick them up, so you can't see that traffic from the host.

You could try to use VirtualBox's built in network tracing feature. This is a debugging tool, but it generates pcap files and is built in an easy to setup. To enable network tracing you can use the VBoxManage command line with the --nictrace* options:

VBoxManage modifyvm [your-vm] --nictrace[adapter-number] on --nictracefile[adapter-number] file.pcap

heavyd

Posted 2012-12-26T21:16:10.830

Reputation: 54 755

1Any idea why tcpdump -ing inside guest doesn't capture VM-to-VM traffic? I don't care that much about the host IP stack; rather I'd expect to see tcpdump run in the guest OS correctly. On the surface, that's a reasonable expectation, since the guest network stack should presumably be working as usual. So, what's wrong? – ulidtko – 2016-11-23T11:57:41.513

@ulidtko I would recommend creating a new question with your specific details including OS-es, versions and networking configurations. – heavyd – 2016-11-23T15:27:30.647

Tried it out and it worked like a charm. This is all I needed! I wish I could upvote this 10 times... You have no idea how long this issue has plagued me. – Logan Bibby – 2012-12-27T18:52:48.043

Asked: 2012-12-26T21:16:10.830

Viewed: 5 131 times

Active: 2012-12-27T19:52:45.903