We are still in testing phase and we were trying to install the software into a virtual machine under VMware ESXi 3.5 server which will be the final place for us to install Wfilter for monitoring all network traffic.
Scenario:
We have Wfilter installed into a Virtual Machine under a server with 4 network card, we assign two network card to the Wfilter VM (one network card exclusively for mirroring traffic with a morriring at the layer III switch redirecting all internet traffic to this NIC, and another one for access the Wfilter VM). When we installed the wfilter software and add the trial license we are unable to monitor any computer, neither the same Wfilter Virtual Machine.
Can you help us?
I don’t know if it is the Virtualization server NIC itself that cause the issue.
Can WFilter work in vmware machine?
Moderators: imfirewall, gengw2000
Can WFilter work in vmware machine?
We did a certain test with "vmware workstation 6.0". WFilter is able to monitor other computers when the vmware network card is in "bridge mode". We will do a test with "Vmware ESXi server" ASAP.
Now, I need more details:
1. In "System Settings"->"Monitor settings" of WFilter, what is the ip address of the "monitoring adapter"?
2. In "System Settings"->"Monitor settings" of WFilter, what is the "IP Segment" setting?
3. There is a simple way to check whether packets are successfully mirrored. Can you check it following this instruction: How to check whether port mirroring settings are correct?
Now, I need more details:
1. In "System Settings"->"Monitor settings" of WFilter, what is the ip address of the "monitoring adapter"?
2. In "System Settings"->"Monitor settings" of WFilter, what is the "IP Segment" setting?
3. There is a simple way to check whether packets are successfully mirrored. Can you check it following this instruction: How to check whether port mirroring settings are correct?
Can WFilter work in vmware machine?
This are the answer for your three question:
1. The IP address of the monitoring adapter is: 10.200.2.133.
2. The segments we have been monitoring are: 10.200.2.0/24, 10.200.3.0/24, 10.200.4.0/24, 10.200.21.0/24, 10.200.22.0/24, 10.200.25.0/24, 10.200.26.0/24 (but I have tried many combination and any of them work). Could I include 10.200.0.0/19 and this way include my entire LAN network or 0.0.0.0/0?
3. I already have verified that before and the Wfilter VM is configured with port mirroring at the layer III switch side, and there is a greater amount of packets received than packets sent.
Any suggestion?
1. The IP address of the monitoring adapter is: 10.200.2.133.
2. The segments we have been monitoring are: 10.200.2.0/24, 10.200.3.0/24, 10.200.4.0/24, 10.200.21.0/24, 10.200.22.0/24, 10.200.25.0/24, 10.200.26.0/24 (but I have tried many combination and any of them work). Could I include 10.200.0.0/19 and this way include my entire LAN network or 0.0.0.0/0?
3. I already have verified that before and the Wfilter VM is configured with port mirroring at the layer III switch side, and there is a greater amount of packets received than packets sent.
Any suggestion?
Can WFilter work in vmware machine?
The monitoring adapter and "ip segments" settings are correct. You also can use "10.200.0.0/19" as "ip segments". But you can not use "0.0.0.0/0".
WFilter does support layer3 switch. Since there is a great amount of received packets, WFilter shall be able to monitor some computers at least. Unless:
1. You're not mirroring packets for "both" directions. For example, there is a parameter "both|rx|tx" for the "monitor session" command of cisco switch. And this parameter shall be "both".
2. In "User-computer table" of WFilter, the "Enable Monitor" option of certain computers shall be checked.
Please check.
If problem still exists, I need a packet dump for diagnose. Please follow below steps to generate a packet dump.
1). In "Start"->"IMFirewall WFilter"->"Tools", click the "Packet dump tool". If you didn't install WFilter shortcuts, you can launch the "dumpPacket.exe" in WFilter directory.
2). It will ask you to input the ip address for testing. You can just press "enter" here.
3). Wait for about 3-5 seconds, then close the packet dump application.
4). You will find a file named "dump.cap" in temp directory of WFilter. This is a pcap format packet dump, you can open it using wireshark.
5). Send this file to me. If this file is too large, do it again and wait for fewer seconds in step3.
You can find a turial here: Use dumpPacket.exe of WFilter to generate a packet dump file.
WFilter does support layer3 switch. Since there is a great amount of received packets, WFilter shall be able to monitor some computers at least. Unless:
1. You're not mirroring packets for "both" directions. For example, there is a parameter "both|rx|tx" for the "monitor session" command of cisco switch. And this parameter shall be "both".
2. In "User-computer table" of WFilter, the "Enable Monitor" option of certain computers shall be checked.
Please check.
If problem still exists, I need a packet dump for diagnose. Please follow below steps to generate a packet dump.
1). In "Start"->"IMFirewall WFilter"->"Tools", click the "Packet dump tool". If you didn't install WFilter shortcuts, you can launch the "dumpPacket.exe" in WFilter directory.
2). It will ask you to input the ip address for testing. You can just press "enter" here.
3). Wait for about 3-5 seconds, then close the packet dump application.
4). You will find a file named "dump.cap" in temp directory of WFilter. This is a pcap format packet dump, you can open it using wireshark.
5). Send this file to me. If this file is too large, do it again and wait for fewer seconds in step3.
You can find a turial here: Use dumpPacket.exe of WFilter to generate a packet dump file.
Can WFilter work in vmware machine?
1. I have confirmed with the network administrator that the mirroring port on the Cisco switch is configured with "both" parameter.
2. I verified "User-computer table" of WFilter and the state is enable but there is only the WFilter computer registrated.
I made a test into a portable computer that we used before for testing the WFilter application and when I plugged the network cable from the Layer III switch mirroring port to the Laptop NIC and the WFilter application was working normally but we need to set up this application into the Virtual Machine and we are still unable to do it that way.
2. I verified "User-computer table" of WFilter and the state is enable but there is only the WFilter computer registrated.
I made a test into a portable computer that we used before for testing the WFilter application and when I plugged the network cable from the Layer III switch mirroring port to the Laptop NIC and the WFilter application was working normally but we need to set up this application into the Virtual Machine and we are still unable to do it that way.
Can WFilter work in vmware machine?
In vmware website, it says "Promiscuous mode is disabled by default for all virtual machines. This prevents them from seeing unicast traffic to other nodes on the network.". And "Promiscuous mode" is required for WFilter to do monitoring.
I also found an article at http://www.vmware.com/support/esx21/doc/esx21admin_virtualadapter.html
This article shows how to "Enabling a Virtual Adapter to Use Promiscuous Mode".
Can you follow this article to make a try?
I also found an article at http://www.vmware.com/support/esx21/doc/esx21admin_virtualadapter.html
This article shows how to "Enabling a Virtual Adapter to Use Promiscuous Mode".
Can you follow this article to make a try?
Can WFilter work in vmware machine?
Today I made the suggested change at the VMWare virtualization server and after that change I could be able to monitor all the computers in my network.
Who is online
Users browsing this forum: No registered users and 19 guests