Gregg O’Brien is a Microsoft Premier Field Engineer from Canada, where French people are readily available.
There comes a point in the life of every server administrator where they must take a look at what is happening on the network.
Complex multi-tiered systems and fancy network gear can often leave us wondering just what is happening on that wire, especially when things go wrong. Capturing network traffic gives us the opportunity to see exactly what hits the network, and is one of the most concrete and accurate representations of data.
Unfortunately, virtualization makes this a lot more complicated. Especially when we are looking at systems which are proprietary, high-load/high-performance, or mission critical, and which are either unable to run network capture software or would be at too high a risk of performance degradation (or other malfunctions) when running a network capture app. In a physical server environment, things like port mirroring on switches or even using a good old-fashioned network hub can make it possible to capture network traffic without having software present on the server. But these options are not possible with virtualization, due to limitations imposed by the virtual switch.
This is where Hyper-V on Windows Server 2012 comes in!
One of the great new features in Hyper-V on Windows Server 2012 is the ability to have extensible switch modules.
Now, Microsoft and 3rd party vendors can add extensions to the virtual switch infrastructure to perform operations on traffic at the switch level. The extension we’re going to use today is the Microsoft NDIS Packet Capture Filter Driver. It allows us to configure virtualized network interfaces to behave as if port mirroring were in effect: allowing a protocol analyzer on one virtual machine to capture network traffic from another.
So what are the benefits of this? 1) No need to install network monitoring software on every virtual machine! 2) Since there is no need to install anything on the target VM, there is no need for a change management ticket or outage window to install the network monitoring software. Troubleshooting can begin sooner! 3) VMs running applications or OSes that can’t accept the installation of network monitoring software can be monitored. 4) VM/Application performance is not affected by having network capture software installed on the same virtual machine.
So now that we understand what it’s all about, let’s take a look at how we get it done.
In my lab, I’ll use two VMs:
Starting with the configuration on C-LAB-2012B:
Now over to Tools-VM, which will be the destination - where the mirrored traffic will be sent to.
Now we can install Microsoft Network Monitor to go ahead and start capturing traffic. It can be found on the Microsoft website here.
Installation of Network Monitor is pretty straightforward: Just run the executable file and perform a complete installation.
Once Network Monitor is installed, we can configure Network Monitor to start capturing the traffic we want to see from the other machine, C-LAB-2012B.
Over on C-LAB-2012B, I started generating some interesting traffic.
Now on Tools-VM we can see the traffic being captured in Network Monitor just as if the traffic was destined for Tools-VM itself!
And with that, we can now capture network traffic from another VM on the same host. It’s one of the great new features of Hyper-V in Windows Server 2012.
I bet this will make virtual machine administration and troubleshooting much easier!
Posted by Tristan Kington, MSPFE Editor in promiscuous mode.
Do the VMs have to be connected to the same virtual network/switch? If so then do they have to have IP addresses?
Since Port Mirroring works at the Virtual Switch Level, VMs must be connected to the same virtual switch.