Overview

This article is a supplement to my series of articles detailing the installation of Snort on Ubuntu, available here, but is helpful to anyone who needs to setup a VMware virtual switch for promiscuous mode. When you enable promiscuous mode on a virtual switch, you are allowing any host on that virtual switch to listen to all traffic on that virtual switch, rather than for traffic destined solely for that host. Because this is a vulnerability (a malicious host could collect information not intended for it), you will only want to configure promiscuous mode if you have a host on that switch that specifically needs to see all traffic on the switch, often when you have a NIDS like Snort installed.

Configuration

From the VMware webpage:

1. Log into the ESXi/ESX host or vCenter Server using the vSphere Client.
2. Select the ESXi/ESX host in the inventory (in this case, the Snort server).
3. Click the Configuration tab.
4. In the Hardware section, click Networking.
5. Click Properties of the virtual switch for which you want to enable promiscuous mode.
6. Select the virtual switch or portgroup you wish to modify and click Edit.
7. Click the Security tab.
8. From the Promiscuous Mode dropdown menu, click Accept.

Testing

To test that promiscuous mode is working correctly on the virtual switch, you have a few options, mostly based around using packet capture software on one host to see if you are able to see traffic passing between two other hosts.

If you configured Snort as detailed in my series of guides (available here), you should still have the rule enabled to alert whenever the Snort server sees ICMP messages. Ping between two different hosts on the virtual switch, and the Snort server should generate alerts.

Other methods of testing if promiscuous mode is working would be to use packet capture software such as wireshark or tcpdump, just look for traffic passing between two other hosts on the same virtual switch. Wireshark is a graphical tool, while tcpdump is a console tool.

A quick tcpdump to print out ICMP packets (ping echo request and reply for example):

sudo tcpdump -n -q icmp -i eth0

we have chosen to use the following flags in the example above:

-n            Don't convert addresses (i.e., host addresses, port numbers, etc.) to names.
-q            Be less verbose (than the default) while capturing packets.
icmp          Only show ICMP messages (ICMP echo request and reply generated by ping).     
-i eth0       Listen for traffic on interface eth0

Example output when pinging xkcd.com:

user@server:~$ sudo tcpdump -n -q icmp -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:20:44.811692 IP 192.168.1.109 > 107.6.106.82: ICMP echo request, id 8581, seq 1, length 64
22:20:44.922617 IP 107.6.106.82 > 192.168.1.109: ICMP echo reply, id 8581, seq 1, length 64
22:20:45.811962 IP 192.168.1.109 > 107.6.106.82: ICMP echo request, id 8581, seq 2, length 64
22:20:45.927140 IP 107.6.106.82 > 192.168.1.109: ICMP echo reply, id 8581, seq 2, length 64
22:20:46.812684 IP 192.168.1.109 > 107.6.106.82: ICMP echo request, id 8581, seq 3, length 64
22:20:46.924001 IP 107.6.106.82 > 192.168.1.109: ICMP echo reply, id 8581, seq 3, length 64
22:20:47.814323 IP 192.168.1.109 > 107.6.106.82: ICMP echo request, id 8581, seq 4, length 64
22:20:47.925460 IP 107.6.106.82 > 192.168.1.109: ICMP echo reply, id 8581, seq 4, length 64
^C
8 packets captured
8 packets received by filter
0 packets dropped by kernel
user@server:~$