KB2885541 – Packet Sniffing Tools Misses Packets Via Hyper-V Port Mirroring

WS2012 Hyper-V (and later) gives you the ability to enable port mirroring in VM network connections.  The source VM mirrors packets to a VM with destination mode enabled.  This is handy for diagnostics of machines that you cannot change or log into; you run a network sniffer on the destination machine without impacting a production VM – no reboots, installs, changes to the guest OS, etc.

Microsoft has released a related KB article for when a packet sniffing tool does not sniff all network traffic through port mirroring on a virtual machine that is hosted by a Windows Server 2012 Hyper-V host.

Symptoms

Consider the following scenario:

  • You create a virtual machine (VM) on a Windows Server 2012-based server that has the Hyper-V server role installed.
  • You connect the VM to a virtual switch that is connected to a physical network.
  • You have two computers (computer A and computer B) that both connect to the physical network.
  • The two computers and the VM are in the same subnet.
  • You set Mirroring Mode to Destination under the Port Mirroring section of Advanced Features in the VM’s network settings.
  • You run a packet sniffing tool on the VM.
  • You ping computer B from computer A.

In this scenario, the packet sniffing tool does not capture the packets between computer B and computer A.

Cause

This issue occurs because the virtual switch does not deliver the packets to the mirroring destination port.

A supported hotfix is available from Microsoft.

Please follow and like us: