There are a number of scenarios where you want to be able to receive all the traffic coming from a network. For example, network intrusion detection systems (NIDS), monitoring tools (Wireshark, Message Analyzer, tcpdump, etc) or software defined networking (SDN) routers / switches, like for example Open vSwitch.
To enable the feature we will have to use PowerShell commands and jump through a couple of hoops to get and set the necessary properties.
For now we will asssume that Hyper-V switch has not been created to receive this traffic. To enable a VM NIC to receive morrored traffic we need to use a dedictaed VM switch which has the Switch Extension Port Feature MonitorMode defined. We require our hardware to have an available interface which our mirrored traffic will be coming in on.
To create the new switch we need to know the interface description of the physical adapter we will bind it to. Its best to use the inteface description because this is “name” Hyper-V refers to in the GUI and other places. In this example we will bind to “Broadcom BCM5716C NetXtreme II GigE (NDIS VBD Client) #36”.
New-VMSwitch -Name PortMirrorSW -NetAdapterInterfaceDescription "Broadcom BCM5716C NetXtreme II GigE (NDIS VBD Client) #36"-AllowManagementOS:$false
We now have to create an instance of the feature which we will add to our switch:
$Feature = Get-VMSystemSwitchExtensionPortFeature -FeatureName "Ethernet Switch Port Security Settings"
We now apply this to our switch:
Add-VMSwitchExtensionPortFeature -ExternalPort -SwitchName PortMirrorSW -VMSwitchExtensionFeature $Feature
At this point the MirrorMode is 0. No monitoring (default) is 0, source or send packets is 2. We are setting 2 because our switch port will be the source of the packets. We need to take an instance of the feature we applied to our switch and modify the MirrorMode setting.
$SetFeature = Get-VMSwitchExtensionPortFeature -ExternalPort -SwitchName PortMirrorSW
$SetFeature.SettingData.MonitorMode = [byte]2
Then we set this to the switch:
Set-VMSwitchExtensionPortFeature -ExternalPort -SwitchName PortMirrorSW -VMSwitchExtensionFeature $SetFeature
We can validate this with the following line:
(Get-VMSwitchExtensionPortFeature -ExternalPort -SwitchName PortMirrorSW).SettingData
Now we know the switch port is enabled we must also enable the VM adapter. Typically your VM will have multiple adapters, one will be designated for recieving mirrored traffic. In this example we have istalled AlientVault OSSIM running to inspect traffic entering and leaving though our gateway.
Get-VMNetworkAdapter AlienVaultDemo
Name IsManagementOs VMName SwitchName MacAddress Status IPAddresses
---- -------------- ------ ---------- ---------- ------ -----------
AlienVaultDemo False AlienVaultDemo Office 00155D64081E {Ok} {}
Mirror False AlienVaultDemo PortMirrorSW 00155D640821 {Ok} {}
Then we set the adapter as a port mirror destination:
Set-VMNetworkAdapter -VMName AlienVaultDemo -Name "Network Adapter" -PortMirroring Destination
From this point all the traffic sent to the mirrored port can be received by the VM.
SCHILLERNET 