0

I am not a pro with networking and am trying to understand the same better.

Below is the setup I have.

Host system is OSX running VirtualBox. 2 virtualbox VMs (VM1 and VM2), each running Ubuntu and both these systems are connected with the host OSX over VBoxnet0 interface in a Host Only network configuration. Both are able to perfectly ping each other.

Now what I want is that I should be able to monitor all network activity (say using Wireshark etc.) from VM1 (running Wireshark) while there is any network activity done on VM2.

How do I achieve this ?

Pardon my less understanding about it here, but will an IP forwarding be needed in this case ? I guess no, because both the VMs are on the same VBoxnet0 interface and are on the same 192.168.56.* network. Please correct me if my understanding here is wrong.

I already tried adding the IP of VM1 as the gateway for VM2 using :

route add default gw 192.168.56.102 eth0

but it did not really help a lot.

Improve this question

1 Answer 1

Reset to default
1

The normal way to do this would be to use the Network tracing feature included in VirtualBox. I think this might be unavailable in the GUI so you would have to use the Commandline Interface.

In a nutshell

You are starting with a VM switched off.

To enable network trace and start the VM you would do:

# VBoxManage modifyvm [your-vm] --nictrace[adapter-number] on --nictracefile[adapter-number] file.pcap
# VirtualBox -startvm [your-vm]

Don't forget to disable tracing when you're finished:

# VBoxManage modifyvm [your-vm] --nictrace[adapter-number] off

An example

taking into account your example given:

To enable:

# VBoxManage modifyvm VM1 --nictrace1 on --nictracefile1 mytrace.pcap
# VirtualBox -startvm VM1

To disable:

# VBoxManage modifyvm VM1 --nictrace1 off
Improve this answer
3
  • So here if I understand it correctly, what would happen is any network activity happening on VM1 would be logged to mytrace.pcap, which I can then analyze with Wireshark, for example, where ever I want to. However (if my understanding above is right) I do not want to do this. A bigger part of the problem is that I would be running inetsim on VM2 and hence would want the VM1 to actually talk to VM1 and then do a live capture of the traffic from VM2, through Wireshark running on VM1. Any further suggestions?
    – qre0ct
    Commented Sep 27, 2016 at 6:44
  • @qre0ct: Sorry, I think I cannot follow - could you elaborate on that a bit more?
    – pacey
    Commented Sep 27, 2016 at 7:02
  • So what I want is - A malware sample is executed in VM1 (running Ubuntu). The malware (identified as a linux trojan through some initial analysis) may make outbound network connections to it's command and control center or other online services. I would like to monitor these network activities that the malware is doing, while simulating the various internet services (using inetsim on VM2) so that the malware does not really get access to it's C&C but talks to the simulated services i have on VM2. And now while this happens I would also want to monitor all the network traffic on VM2.
    – qre0ct
    Commented Sep 27, 2016 at 7:37

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .