{"id":15569,"date":"2013-10-11T12:20:25","date_gmt":"2013-10-11T11:20:25","guid":{"rendered":"https:\/\/aidanfinn.com\/?p=15569"},"modified":"2013-10-11T12:20:25","modified_gmt":"2013-10-11T11:20:25","slug":"kb2885541-packet-sniffing-tools-misses-packets-via-hyper-v-port-mirroring","status":"publish","type":"post","link":"https:\/\/aidanfinn.com\/?p=15569","title":{"rendered":"KB2885541 \u2013 Packet Sniffing Tools Misses Packets Via Hyper-V Port Mirroring"},"content":{"rendered":"<p>WS2012 Hyper-V (and later) gives you the ability to enable port mirroring in VM network connections.&#160; The source VM mirrors packets to a VM with destination mode enabled.&#160; This is handy for diagnostics of machines that you cannot change or log into; you run a network sniffer on the destination machine without impacting a production VM \u2013 no reboots, installs, changes to the guest OS, etc.<\/p>\n<p>Microsoft has released a related <a href=\"https:\/\/support.microsoft.com\/kb\/2885541\" target=\"_blank\">KB<\/a> article for when a packet sniffing tool does not sniff all network traffic through port mirroring on a virtual machine that is hosted by a Windows Server 2012 Hyper-V host.<\/p>\n<blockquote>\n<p><strong><u>Symptoms<\/u><\/strong><\/p>\n<p>Consider the following scenario:<\/p>\n<ul>\n<li>You create a virtual machine (VM) on a Windows Server 2012-based server that has the Hyper-V server role installed. <\/li>\n<li>You connect the VM to a virtual switch that is connected to a physical network. <\/li>\n<li>You have two computers (computer A and computer B) that both connect to the physical network. <\/li>\n<li>The two computers and the VM are in the same subnet. <\/li>\n<li>You set <strong><b>Mirroring Mode<\/b><\/strong> to <strong><b>Destination<\/b><\/strong> under the <strong><b>Port Mirroring <\/b><\/strong>section of Advanced Features in the VM&#8217;s network settings. <\/li>\n<li>You run a packet sniffing tool on the VM. <\/li>\n<li>You ping computer B from computer A.<\/li>\n<\/ul>\n<p> In this scenario, the packet sniffing tool does not capture the packets between computer B and computer A.    <\/p>\n<p><strong><u>Cause<\/u><\/strong><\/p>\n<p>This issue occurs because the virtual switch does not deliver the packets to the mirroring destination port.<\/p>\n<\/blockquote>\n<p>A supported hotfix is <a href=\"http:\/\/support.microsoft.com\/hotfix\/KBHotfix.aspx?kbnum=2885541\" target=\"_blank\">available<\/a> from Microsoft.<\/p>\n<div id=\"scid:0767317B-992E-4b12-91E0-4F059A8CECA8:f0492c1e-dabe-474e-85ea-8607120057f3\" class=\"wlWriterEditableSmartContent\" style=\"float: none; padding-bottom: 0px; padding-top: 0px; padding-left: 0px; margin: 0px; display: inline; padding-right: 0px\">Technorati Tags: <a href=\"http:\/\/technorati.com\/tags\/Windows+Server+2012\" rel=\"tag\">Windows Server 2012<\/a>,<a href=\"http:\/\/technorati.com\/tags\/Networking\" rel=\"tag\">Networking<\/a>,<a href=\"http:\/\/technorati.com\/tags\/Hyper-V\" rel=\"tag\">Hyper-V<\/a>,<a href=\"http:\/\/technorati.com\/tags\/Virtualisation\" rel=\"tag\">Virtualisation<\/a><\/div>\n","protected":false},"excerpt":{"rendered":"<p>WS2012 Hyper-V (and later) gives you the ability to enable port mirroring in VM network connections.&#160; The source VM mirrors packets to a VM with destination mode enabled.&#160; This is handy for diagnostics of machines that you cannot change or log into; you run a network sniffer on the destination machine without impacting a production &hellip; <a href=\"https:\/\/aidanfinn.com\/?p=15569\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;KB2885541 \u2013 Packet Sniffing Tools Misses Packets Via Hyper-V Port Mirroring&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[20],"tags":[181,80,195,118],"class_list":["post-15569","post","type-post","status-publish","format-standard","hentry","category-hyper-v","tag-hyper-v","tag-networking","tag-virtualisation","tag-windows-server-2012"],"aioseo_notices":[],"jetpack_featured_media_url":"","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/15569","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15569"}],"version-history":[{"count":0,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/15569\/revisions"}],"wp:attachment":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15569"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15569"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15569"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}