I have two physical ports connected to a vmware server and I want one of them to be just for internet gateway packet sniffing and the other physical port to be used for real traffic for example I have a dns server and a web server.
I used the physical Ethernet switch to mirror traffic to/from a server to the vmware sniffing port but for some reason the incoming packets show up on the wrong interface. More details below:
Here is the virtual switch config below from vmware.
On the physical switch the port that goes to vmnic0 is configured with 5 tagged vlans (for real traffic)
On the physical switch the port that goes to vmnic1 is configured with 1 untagged vlan (mirror of physical port going to server 208.77.2.78)
On the physical switch the port that goes to server 208.77.2.78 is configured with 1 untagged vlan
When I do a packet trace of 208.77.2.78 from one of the virtual servers I see the inbound packets on the wrong virtual machine port group, but the outbound packets show up on the correct one
For example on one virtual server eth1 is associated with vmnic1 and eth2 is associated with vmnic0 and I see the inbound mirrored packets on eth2 and the outbound packets on eth1. The inbound is incorrect.
Eth2 where the inbound packets show up has a physical IP address of 208.77.2.216
Here is an example packet that is mirrored. I wonder if the 802.1Q is confusing the vmware virtual switch.
Frame 64 (70 bytes on wire, 70 bytes captured)
Arrival Time: Dec 18, 2014 13:22:15.076391000
[Time delta from previous captured frame: 0.000467000 seconds]
[Time delta from previous displayed frame: 0.000467000 seconds]
[Time since reference or first frame: 0.277901000 seconds]
Frame Number: 64
Frame Length: 70 bytes
Capture Length: 70 bytes
[Frame is marked: False]
[Protocols in frame: eth:vlan:ip:tcp]
Ethernet II, Src: Procurve_cb:ef:00 (00:23:47:cb:ef:00), Dst: QuantaCo_02:75:ca (00:26:9e:02:75:ca)
Destination: QuantaCo_02:75:ca (00:26:9e:02:75:ca)
Address: QuantaCo_02:75:ca (00:26:9e:02:75:ca)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: Procurve_cb:ef:00 (00:23:47:cb:ef:00)
Address: Procurve_cb:ef:00 (00:23:47:cb:ef:00)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN, PRI: 0, CFI: 0, ID: 3
000. .... .... .... = Priority: 0
...0 .... .... .... = CFI: 0
.... 0000 0000 0011 = ID: 3
Type: IP (0x0800)
Internet Protocol, Src: 208.77.1.35 (208.77.1.35), Dst: 208.77.2.78 (208.77.2.78)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 52
Identification: 0x21e3 (8675)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 120
Protocol: TCP (0x06)
Header checksum: 0x3cd5 [correct]
[Good: True]
[Bad : False]
Source: 208.77.1.35 (208.77.1.35)
Destination: 208.77.2.78 (208.77.2.78)
Transmission Control Protocol, Src Port: 53600 (53600), Dst Port: http-alt (8080), Seq: 0, Len: 0
Source port: 53600 (53600)
Destination port: http-alt (8080)
Sequence number: 0 (relative sequence number)
Header length: 32 bytes
Flags: 0x02 (SYN)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgment: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Window size: 8192
Checksum: 0x9c12 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Options: (12 bytes)
Maximum segment size: 1380 bytes
NOP
Window scale: 8 (multiply by 256)
NOP
NOP
SACK permitted
