Solera V2P Tap

It looks like Solera Networks built a virtual tap, as I hoped someone would. I mentioned it to Solera when I visited them last year, so I'm glad to see someone built it. I told them it would be helpful for someone to create a way for virtual switches to export traffic from the VM environment to a physical environment, so that a NSM sensor could watch traffic as it would when connected to a physical tap.

This picture describes what it does:

You can read more in this news post and product description. You can download it here. The V2P Tap requires ESX Server, which I do not run. If someone with ESX Server downloads the V2P Tap, please let me know how it works for you.

Comments

Unknown said…
Thanks for posting this! Doing it the manual hard-coded way is a pain in the butt. This is why I subscribe to your blog in the RSS Reader. Thanks!
6:18 PM
Anonymous said…
Thanks for info Richard. Virtual tap + freebsd 7.0 with new sguil (on esx) - it is plan for this week
2:45 AM
jbmoore said…
It was not difficult to install. Configuring is another story. the dsfs kernel module is not loading likely due to a licensing issue. At least this is what the web interface says. The little documentation they supply says nothing about a license and one was not supplied with the download.
8:32 PM
Anonymous said…
Can anyone assess the overall system load by using this virtual tap to send out traffic? I've seen in a VMware ESX workload analysis presentation that both disk and network I/O impose the highest virtualization overhead. So if the soft tap is sending out a lot of traffic then system resources on the physical host may become overly taxed.
2:50 PM
jbmoore said…
My issue was resolved after tech support called me back.
Network adapter 1 must be the Management interface.
Network adapter 2 is the V2P Tap interface.
Network adapter 3 is the Regen interface.

In the Solera-V2P directory, cat Solera-V2P.vmx should show:

tools.remindInstall = "TRUE"
ethernet0.address = "00:50:56:01:01:01"
ethernet1.address = "00:50:56:02:02:02"
ethernet2.address = "00:50:56:03:03:03"

My vmx file was missing the latter three entries preventing the dsfs kernel module from loading.

The ESX server needs to be connected to either a SPAN port on a managed switch or a hub to see all traffic.
4:10 PM
jbmoore said…
Oops, tech support gave me the wrong info about the network interface labeling. I had the correct order according to the Quick Start Guide:
NIC 1 is V2P Tap. Nic 2 is Management. Nic 3 is Regen.
5:38 PM
Unknown said…
There is a fix posted on Solera Networks site to update the .vmx file you can download it directly here: http://www.soleranetworks.com/downloads/v2pfix.zip there is also a new package with detailed installation instructions available here: http://www.soleranetworks.com/products/virtual-tap-download.php
6:32 PM
Anonymous said…
Hey Rich, did you notice the product is no longer free. They liked your idea so much they sold it.
11:10 PM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more