Sniffing VirtualBox machine behind NAT

I have a VirtualBox machine with a single interface connected to VB's NAT mode. What I would like to do is sniff all traffic coming from/to any machine behind that NAT. (I don't think I will need to sniff on more machines at the same time).

Background for this is software testing. More specifically, I'd like to see in bigger picture what exactly goes from/to the machine without the need to filter out all the noise that the host is already producing.

I used to do this on Windows 7 with VMWare, where the traffic flew through a separate virtual interface on the host, so sniffing the traffic from (all) machines behind the NAT was as easy as sniffing on that interface only.

Now I tried to achieve the same setup on Debian with VirtualBox, and I stopped at the fact that VirtualBox does not seem to separate the traffic this way: on Debian Wireshark only offers eth0, nflog, lo and any (pseudo-device to capture on all others). When I sniff on eth0, I can't easily distinguish between what came from host and what came from guest.

Is it possible to do this with VirtualBox? Or is there a better (easier) setup?

Both machines are running Debian 7.0 Wheezy.

Note: What I was (maybe naively) thinking as a possible solution was: a way to distinguish on the outgoing packets that they have been translated. (Does NAT really not leave a trace?) Now it strikes me that this would at least definitely not be easy for incoming packets…

# Assign IP address 192.168.42.2 (netmask 255.255.255.0) to br0 ip addr add 192.168.42.2/24 dev br0 # Tell your host that it should masquerade (NAT) all virtual machines iptables -A POSTROUTING -o <lan_interface> -j MASQUERADE

Best Answer

To do so, you have to create a bridge interface under Linux :

sudo brctl addbr br0

This will create a bridge interface that virtualbox can attach to.

Then you have to configure your virtual machine so that it uses this interface :

Configure bridged network on virtualbox

You can now sniff on br0 to see what's happening on your "virtual machines" network.

You may need to configure the br0 interface as well as NAT :

Remember that there is no DHCP server running in the br0 network so you will have to configure (IP addresses and default gateway) all your virtual machines manually.

Edit: Fixed syntax error in brctl command
Edit 2: Added information to configure the bridge interface

Best Answer

Related Solutions

Using a bridge, an LXC container can’t ping router, but the host OS can

Linux – NAT box with multiple internal and external interfaces

Related Question