This includes configuring the Hyper-V virtual switch (vSwitch_Span) to forward any traffic that comes to the external source port to a virtual network adapter configured as the destination. In the Switch Extensions field, select Microsoft NDIS Capture.Ĭonfigure the mirroring mode on the virtual switch you'd created earlier so that the external port is defined as the mirroring source. In the Virtual Switches list, expand the virtual switch name vSwitch_Span and select Extensions. Open the Virtual Switch Manager on the Hyper-V host. To enable Microsoft NDIS capture extensions for your new virtual switch: Turn on support for Microsoft NDIS Capture Extensions for the virtual switch you'd created earlier. Turn on Microsoft NDIS capture extensions Under the Port Mirroring section, select Destination as the mirroring mode for the new virtual interface. In the Hardware list, under the Network Adapter drop-down list, select Advanced Features. In the Hardware list, under the Network Adapter drop-down list, select Hardware Acceleration and clear the Virtual Machine Queue option for the monitoring network interface. In the Virtual switch field, select vSwitch_Span. Under the Hyper-V Manager's Hardware list, select Network Adapter. Select the newly added SPAN virtual switch you'd configured earlier, and run the following command to add a new network adapter: ADD-VMNetworkAdapter -VMName VK-C1000V-LongRunning-650 -Name Monitor -SwitchName vSwitch_SpanĮnable port mirroring for the selected interface as the span destination with the following command: Get-VMNetworkAdapter -VMName VK-C1000V-LongRunning-650 | ? Name -eq Monitor | Set-VMNetworkAdapter -PortMirroring DestinationĪttach a SPAN virtual interface to the virtual switch with Hyper-V Manager Attach a SPAN virtual interface to the virtual switch with PowerShell If you use Hyper-V Manager, the name of the newly added adapter hardware is set to Network Adapter. If you use PowerShell, define the name of the newly added adapter hardware as Monitor. Use Windows PowerShell or Hyper-V Manager to attach a SPAN virtual interface to the virtual switch you'd created earlier. For example:Īttach a SPAN Virtual Interface to the virtual switch In the Connection type area, select External network and ensure that the Allow management operating system to share this network adapter option is selected. In the Virtual switches list, select New virtual network switch > External as the dedicated spanned network adapter type. Make sure that you've enabled Ensure SPAN on your virtual switch's data port, and not the management port.Įnsure that the data port SPAN configuration isn't configured with an IP address.Ĭonfigure a traffic mirroring port with Hyper-V Make sure that you understand your plan for network monitoring with Defender for IoT, and the SPAN ports you want to configure.įor more information, see Traffic mirroring methods for OT monitoring.Įnsure that there's no instance of a virtual appliance running. A SPAN port on your switch mirrors local traffic from interfaces on the switch to a different interface on the same switch.įor more information, see Traffic mirroring with virtual switches. This article describes how to use Promiscuous mode in a Hyper-V Vswitch environment as a workaround for configuring traffic mirroring, similar to a SPAN port. Note that the Wireshark wiki is being migrated to GitLab on August 11, 2020, so this link may become broken or possibly you'll be redirected automatically, I'm not sure.This article is one in a series of articles describing the deployment path for OT monitoring with Microsoft Defender for IoT. Note that not all WiFi cards support monitor mode and support may vary depending on your operating system.įor more information about WiFi capturing, I'll refer you to the Wireshark wiki page, WLAN (IEEE 802.11) capture setup. However, if you do care about management/control frames or radiotap information or capturing all traffic on a particular channel, then you will either need to set your interface card to monitor mode or use an external device capable of capturing IEEE 802.11 traffic. What you'll get instead are packets that have fake IEEE 802.3 framing instead. If you're not interested in IEEE 802.11 management/control frames or radiotap headers, and you only care about traffic to/from your capture device, then you don't need to use monitor mode. You can capture packets on a WiFi interface either in managed mode or if your hardware supports it, monitor mode too.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |