1

I'm running Windows in a VM inside of OSX. If I start Wireshark inside Windows, then a message from OSX pops up saying that Wireshark is trying to monitor all network traffic. If I accept, then Wireshark starts showing all sorts of network activity. This can't be from Windows, because I don't have anything in there doing anything, but I am running things which are communicating through the internet in OSX.

Is Wireshark able to see the network activity from OSX? How can it do this if it's inside a virtual machine?

Improve this question

3 Answers 3

Reset to default
1

Other people have provided good answers, but it looks like nobody answered this part:

How can it do this if it's inside a virtual machine?

In "bridged" mode, VMWare is giving the guest low-level access to the network interface. This is potentially an unsafe privilege to give to the guest, since it could spy on the host's network activity or even on other hosts on the same network.

That's why VMWare warns you about "attempting to monitor traffic" -- VMWare is confirming with you that it's okay to provide this privilege to the guest.

Improve this answer
4

Most commercial VM managers default to shared networking, which allows the VM to share all of the host's network interfaces, or bridged networking, which allows the VM to share a particular host network interface. To restrict this, switch the VM to "host-only" networking; you will then have to use some kind of NAT arrangement for the VM to communicate with the outside world.

Improve this answer
5
  • Will there be any difference seen by Wireshark between shared and bridged networking?
    – tony_sid
    Commented Mar 6, 2011 at 2:46
  • @OSX Jedi: Try it and ... see?
    – grawity_u1686
    Commented Mar 6, 2011 at 17:52
  • Shared will see all host interfaces' traffic on the virtual eth0; bridged only sees activity from the bridged interface, and host-only will only see traffic over the virtual tunnel gateway (vnic0 on the host side here, with Parallels)
    – geekosaur
    Commented Mar 7, 2011 at 2:12
  • For spying on the network is shared better than bridged mode?
    – tony_sid
    Commented Mar 7, 2011 at 4:38
  • 1
    Depends on where you want to spy. If I have multiple interfaces and want to see traffic only on one of them inside the VM, I would have to use bridged instead of shared.
    – geekosaur
    Commented Mar 7, 2011 at 7:51
2

The virtual machine's network settings are likely in bridged mode, meaning it receives a routable IP address on your LAN just like the Mac itself. With this setting, promiscuous mode in Wireshark can see exactly what your Mac workstation sees. Host Only or Internal networking will hide outside traffic.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .