Virtual Machine Network Monitoring the Easy Way, with Hyper-V in Windows Server 2012

Gregg O’Brien is a Microsoft Premier Field Engineer from Canada, where French people are readily available.

The Challenge: Capturing Traffic Across VMs

There comes a point in the life of every server administrator where they must take a look at what is happening on the network.

Complex multi-tiered systems and fancy network gear can often leave us wondering just what is happening on that wire, especially when things go wrong. Capturing network traffic gives us the opportunity to see exactly what hits the network, and is one of the most concrete and accurate representations of data.

Unfortunately, virtualization makes this a lot more complicated. Especially when we are looking at systems which are proprietary, high-load/high-performance, or mission critical, and which are either unable to run network capture software or would be at too high a risk of performance degradation (or other malfunctions) when running a network capture app. In a physical server environment, things like port mirroring on switches or even using a good old-fashioned network hub can make it possible to capture network traffic without having software present on the server. But these options are not possible with virtualization, due to limitations imposed by the virtual switch.

This is where Hyper-V on Windows Server 2012 comes in!

Extensible Switch Modules

One of the great new features in Hyper-V on Windows Server 2012 is the ability to have extensible switch modules.

Now, Microsoft and 3rd party vendors can add extensions to the virtual switch infrastructure to perform operations on traffic at the switch level. The extension we’re going to use today is the Microsoft NDIS Packet Capture Filter Driver. It allows us to configure virtualized network interfaces to behave as if port mirroring were in effect: allowing a protocol analyzer on one virtual machine to capture network traffic from another.

So what are the benefits of this?
1) No need to install network monitoring software on every virtual machine!
2) Since there is no need to install anything on the target VM, there is no need for a change management ticket or outage window to install the network monitoring software. Troubleshooting can begin sooner!
3) VMs running applications or OSes that can’t accept the installation of network monitoring software can be monitored.
4) VM/Application performance is not affected by having network capture software installed on the same virtual machine.

Setting Up A Capture

So now that we understand what it’s all about, let’s take a look at how we get it done.

In my lab, I’ll use two VMs:

  • Tools-VM - where I will capture the traffic from
  • C-LAB-2012B -  the machine that has the interesting traffic that I want to see

Starting with the configuration on C-LAB-2012B:

  • Open a Virtual Machine Connection and then select “Settings” from the “File” menu.
  • Expand “Network Adapter” and then click on “Advanced Features”.
  • The “Port Mirroring” field will appear to the right.
    • Select “Source” and click “Apply” and then “OK”.

Now over to Tools-VM, which will be the destination - where the mirrored traffic will be sent to.

  • Select “Settings” from the File menu in the Virtual Machine Connection:
  • Then expand “Network Adapter” and click on “Advanced Features”
    • Choose “Destination” and click on “Apply” and then “OK”.

Now we can install Microsoft Network Monitor to go ahead and start capturing traffic. It can be found on the Microsoft website here.

Installation of Network Monitor is pretty straightforward: Just run the executable file and perform a complete installation.

Once Network Monitor is installed, we can configure Network Monitor to start capturing the traffic we want to see from the other machine, C-LAB-2012B.

  • Launch Network Monitor and enable “P-Mode” on the network interface connected to the network from which we wish to capture.
  • Create a new capture and press the “Start” button to start capturing traffic.

Over on C-LAB-2012B, I started generating some interesting traffic.

Now on Tools-VM we can see the traffic being captured in Network Monitor just as if the traffic was destined for Tools-VM itself!

And with that, we can now capture network traffic from another VM on the same host. It’s one of the great new features of Hyper-V in Windows Server 2012.

I bet this will make virtual machine administration and troubleshooting much easier!

Posted by Tristan Kington , MSPFE Editor in promiscuous mode.