Printer Friendly Version
Whether you are a server, network, or VMware Admin, a common tool for analyzing network issues is a protocol analyzer (also called packet analyzer or "sniffer"). These software applications analyze network traffic in real-time to allow you to view the packets traversing a network. These tools will tell you what network device is creating the most traffic on the network, what protocols are most being used on the network, who is talking to who on the LAN, and if there are network errors. If packets are being sent in clear-text, you can even decode that text to see things like passwords.
Are you able to identify precisely which processes are sucking up resources and slowing down your servers? Can you do this equally well over VM guests that VMotion?
OpManager also allows admins to remotely shut down problem-causing processes. With over 500 built-in monitors & 70 deep VMware metrics reported on, OpManager is one of the most comprehensive fault & performance management solutions available today for entire server infrastructure - both physical and virtual.
Why you need Promiscuous Mode
Network switches use a forwarding table (CAM table on a Cisco switch) to track what Ethernet devices are on what Ethernet port, and only send traffic destined for those devices out that port. By default, protocol analyzers will only see traffic sent from or to the computer they are running on. Very likely, that isn't going to help you to troubleshoot the network, so the common procedure is to perform "port mirroring" or configure "port spanning" (SPAN or RSPAN). This copies all traffic going to or from a particular port (or group of ports or list of VLANs) to a destination port. Then, you would analyze that port with your protocol analyzer.
Promiscuous Mode on the Virtual Network
But what happens when the network is virtual? Don't worry, this same process can also be performed on a virtual switch, allowing you to see all traffic traversing a virtual switch or vDS. What you would do is to run a protocol analyzer like Wireshark (free edition) inside a virtual machine and then configure the port group where the VM is connected to be in promiscuous mode, like this:
Once promiscuous mode is configured on the vSwitch, that carries down to the port groups in that vSwitch. Now, every port in the VM port group will see the traffic traversing the vSwitch (being sent to and from the VMs on the vSwitch). And suddenly, your Wireshark protocol analyzer will begin to see all traffic from all other VMs, allowing you to analyze the traffic on the vNetwork (as you see below).
Think about it, you are analyzing the virtual network at zero cost after tweaking just one vSphere virtual switch setting and installing your protocol analyzer on a VM connected to that vSwitch.
Reasons to Analyze the Virtual Network
Why would you want to analyze the virtual network? Really, the reasons to analyze the virtual network are typically the same reasons you would analyze the physical network. Here are some reasons I have analyzed the virtual network in the past:
- Identify the VM that is over utilizing network bandwidth, causing slowdowns on the virtual (or physical) network
- Find PCs that are infected with worms or viruses
- Troubleshoot malfunctioning network services (DHCP or DNS maybe) or network applications
- Prove that the network is NOT the cause of a problem
- Sniff the network for malicious or unwanted traffic
- and much more...
Tools & Resources to Help you Analyze the Virtual Network
Many of the same tools you use to analyze the physical network can be used to monitor the virtual network but there are a few additions.
- Free WireShark for Protocol Analysis (packet sniffing)
- VMware KB1004099 - Configuring promiscuous mode on a virtual switch or portgroup
- Zenoss IT Opensource Management - not virtualization specific, but an excellent tool for managing virtual and physical networks
- Petri IT Knowledgebase - Basic Network Application Troubleshooting With Wireshark (Ethereal)
- Top 11 Packet Sniffer Reviews
- Free Xangati for ESX Server - a unique virtual appliance that is imported into ESX, and then allows you tremendous insight into the virtual network (shown in the graphic below)
Video Training on Virtual Network Analysis
If you would like step by step video training on how to use a network packet analyzer on a VM, configuring the vSwitch, and analyzing the virtual traffic (with Wireshark and tcpdump), checkout my new Train Signal vSphere Troubleshooting video training course (especially lesson #19). This new 14 hour video training covers vSphere Troubleshooting inside and out, including storage, network, and CLI troubleshooting. It will both prepare you for your VMware VCAP-DCA exam as well as help you to troubleshoot your company's production virtual infrastructure. You can watch a sample video from the course and get a complete list of what the course covers at the Train Signal vSphere Troubleshooting course homepage.
