Wireshark-dev: Re: [Wireshark-dev] Virtual WireShark appliance
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 20 Sep 2010 13:58:38 -0700
On Sep 20, 2010, at 1:44 PM, john s wolter wrote:

> Sake and Marco,
> 
> ....but

Nobody's arguing against the idea of a Wireshark virtual appliance, as far as I can tell.

As Sake said:

> The problem is how to get
> packets to the virtual appliance. Most virtual switches that come
> with the virtualization environment just don't do port mirroring and
> such (please correct me if I'm wrong here nowadays).

I.e., if the virtual machine does not provide mechanisms by which a program running on one virtual machine can monitor on-the-wire traffic to another virtual machine, or traffic within another virtual machine, or between two virtual machines, there's really not much Wireshark can do.  There might be virtual machines that support this - as Marco said:

> Cisco's Nexus 1000V can do (ER)SPAN.


but, if there are any virtual machines where Wireshark running on one virtual machine can't look at any traffic other than traffic to or from the VM on which it's running, a Wireshark virtual appliance *for that particular virtual machine* won't be very useful.

I.e., it's worth investigating, but it's not necessarily going to work on all VMs.

> Just imagine how working in the Cloud will change everything.

...assuming that "the cloud" ends up being like "the Web" rather than, say, "push technology". :-)