Configuring Promiscuous Mode for ESXi
This article is a supplement to my series of articles detailing the installation of Snort on Ubuntu, available here, but is helpful to anyone who needs to setup a VMware virtual switch for promiscuous mode. When you enable promiscuous mode on a virtual switch, you are allowing any host on that virtual switch to listen to all traffic on that virtual switch, rather than for traffic destined solely for that host. Because this is a vulnerability (a malicious host could collect information not intended for it), you will only want to configure promiscuous mode if you have a host on that switch that specifically needs to see all traffic on the switch, often when you have a NIDS like Snort installed.
From the VMware webpage:
- Log into the ESXi/ESX host or vCenter Server using the vSphere Client.
- Select the ESXi/ESX host in the inventory (in this case, the Snort server).
- Click the Configuration tab.
- In the Hardware section, click Networking.
- Click Properties of the virtual switch for which you want to enable promiscuous mode.
- Select the virtual switch or portgroup you wish to modify and click Edit.
- Click the Security tab.
- From the Promiscuous Mode dropdown menu, click Accept.
To test that promiscuous mode is working correctly on the virtual switch, you have a few options, mostly based around using packet capture software on one host to see if you are able to see traffic passing between two other hosts.
If you configured Snort as detailed in my series of guides (available here), you should still have the rule enabled to alert whenever the Snort server sees ICMP messages. Ping between two different hosts on the virtual switch, and the Snort server should generate alerts.
Other methods of testing if promiscuous mode is working would be to use packet capture software such as wireshark or tcpdump, just look for traffic passing between two other hosts on the same virtual switch. Wireshark is a graphical tool, while tcpdump is a console tool.
A quick tcpdump to print out ICMP packets (ping echo request and reply for example):
sudo tcpdump -n -q icmp -i eth0
we have chosen to use the following flags in the example above:
-n Don't convert addresses (i.e., host addresses, port numbers, etc.) to names. -q Be less verbose (than the default) while capturing packets. icmp Only show ICMP messages (ICMP echo request and reply generated by ping). -i eth0 Listen for traffic on interface eth0
Example output when pinging xkcd.com:
user@server:~$ sudo tcpdump -n -q icmp -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 22:20:44.811692 IP 192.168.1.109 > 22.214.171.124: ICMP echo request, id 8581, seq 1, length 64 22:20:44.922617 IP 126.96.36.199 > 192.168.1.109: ICMP echo reply, id 8581, seq 1, length 64 22:20:45.811962 IP 192.168.1.109 > 188.8.131.52: ICMP echo request, id 8581, seq 2, length 64 22:20:45.927140 IP 184.108.40.206 > 192.168.1.109: ICMP echo reply, id 8581, seq 2, length 64 22:20:46.812684 IP 192.168.1.109 > 220.127.116.11: ICMP echo request, id 8581, seq 3, length 64 22:20:46.924001 IP 18.104.22.168 > 192.168.1.109: ICMP echo reply, id 8581, seq 3, length 64 22:20:47.814323 IP 192.168.1.109 > 22.214.171.124: ICMP echo request, id 8581, seq 4, length 64 22:20:47.925460 IP 126.96.36.199 > 192.168.1.109: ICMP echo reply, id 8581, seq 4, length 64 ^C 8 packets captured 8 packets received by filter 0 packets dropped by kernel user@server:~$