Thursday, October 27, 2005

VMware Workstation Vnetsniffer

Did you know VMware Workstation ships with a sniffer? I should have know about it before now. Lenny Zeltser mentioned it in his 2001 paper on reverse engineering malware. There's only 15 references in Google Groups, however.

Vnetsniffer is very limited with regard to reporting. Here is sample output:

C:\Program Files\VMware\VMware Workstation>vnetsniffer
usage: vnetsniffer [/e] (/p "pvnID" | VMnet?)

C:\Program Files\VMware\VMware Workstation>runas /u:administrator "vnetsniffer /e vmnet0"
Enter password for administrator:
Attempting to start "vnetsniffer /e vmnet0" as user "administrator"...

len 203 src 00:03:47:0f:1f:3c dst 00:13:10:65:2f:ab IP src 192.168.2.4
dst 208.185.174.52 TCP
len 60 src 00:13:10:65:2f:ab dst 00:03:47:0f:1f:3c ARP sender
00:13:10:65:2f:ab 192.168.2.1 target 00:00:00:00:00:00 192.168.2.4
ARP request
len 42 src 00:03:47:0f:1f:3c dst 00:13:10:65:2f:ab ARP sender
00:03:47:0f:1f:3c 192.168.2.4 target 00:13:10:65:2f:ab 192.168.2.1
ARP reply
len 203 src 00:03:47:0f:1f:3c dst 00:13:10:65:2f:ab IP src 192.168.2.4
dst 208.185.174.52 TCP
len 342 src 00:0c:29:22:b7:2d dst ff:ff:ff:ff:ff:ff IP src 0.0.0.0
dst 255.255.255.255 UDP
len 203 src 00:03:47:0f:1f:3c dst 00:13:10:65:2f:ab IP src 192.168.2.4
dst 208.185.174.52 TCP
len 342 src 00:0c:29:22:b7:2d dst ff:ff:ff:ff:ff:ff IP src 0.0.0.0
dst 255.255.255.255 UDP
len 342 src 00:0c:29:22:b7:2d dst ff:ff:ff:ff:ff:ff IP src 0.0.0.0
dst 255.255.255.255 UDP
len 203 src 00:03:47:0f:1f:3c dst 00:13:10:65:2f:ab IP src 192.168.2.4
dst 208.185.174.52 TCP
len 435 src 00:13:10:65:2f:ab dst 00:03:47:0f:1f:3c IP src 208.185.174.52
dst 192.168.2.4 TCP

This output doesn't even show TCP or UDP ports, which would be very helpful. Vnetsniffer seems best suited for basic troubleshooting of virtual switches, thanks to the ability to specify a vmnet to monitor. Here I chose vmnet0, which is the default bridged interface. vmnet1 is used for host-only networking, and vmnet8 is used for NAT.

3 comments:

John Ward said...

Depending on my need, I usually just run Ethereal on the host OS... Although that is cool, I had no idea this utility shipped with VMWare.

dghnfgj said...
This comment has been removed by a blog administrator.
Anonymous said...

Who know - what's format file of "vnetsniffer /w filename" ???