Port mirroring is a powerful feature that allows you to duplicate network traffic from one virtual machine to another for analysis. This technique is particularly useful for network administrators and security professionals who need to monitor, troubleshoot, or analyze network communications in a Hyper-V environment. In this guide, we’ll walk you through the process of configuring port mirroring in Hyper-V, step by step.
Creating a Virtual Switch for Port Mirroring
Before we can set up port mirroring, we need to create a virtual switch that will facilitate communication between our virtual machines.
Step 1: Open Hyper-V Manager by searching for it in the Start menu or running virtmgmt.msc in the Run dialog.
Step 2: In Hyper-V Manager, right-click on your host machine and select “Virtual Switch Manager”.
Step 3: Click on “Create Virtual Switch” and choose “External” as the type.
Step 4: Give your switch a descriptive name, such as “PortMirrorSwitch”, and click “OK” to create it.
After creating the virtual switch, we need to make some additional configurations to ensure it’s properly set up for port mirroring.
Step 5: Open Control Panel and navigate to Network and Internet > Network and Sharing Center.
Step 6: Click on “Change adapter settings” in the left sidebar.
Step 7: Right-click on the newly created virtual switch and select “Properties”.
Step 8: In the Properties window, go to the “Sharing” tab and uncheck “Allow other network users to connect through this computer’s internet connection”.
Step 9: From the dropdown menu, select a physical network adapter to bind to this virtual switch, then click “OK” to save the changes.
Configuring the Source Virtual Machine
Now that we have our virtual switch set up, we’ll configure the source virtual machine – the one whose traffic we want to monitor.
Step 1: In Hyper-V Manager, right-click on the source VM and select “Settings”.
Step 2: In the settings window, click on “Network Adapter” in the hardware list.
Step 3: Expand the network adapter settings by clicking the plus (+) icon, then click on “Advanced Features”.
Step 4: In the “Port Mirroring” section, set the “Mirroring Mode” to “Source” from the dropdown menu.
Step 5: Click “Apply” and then “OK” to save these settings.
You can repeat this process for multiple source VMs if you need to monitor traffic from several machines. Just make sure they’re all connected to the same virtual switch we created earlier.
Setting Up the Destination Virtual Machine
The destination VM is where we’ll capture and analyze the mirrored traffic. To set this up effectively, we’ll create an additional network adapter specifically for capturing mirrored traffic.
Step 1: Shut down the destination VM if it’s currently running.
Step 2: Right-click on the destination VM in Hyper-V Manager and select “Settings”.
Step 3: Click on “Add Hardware” at the top of the settings window.
Step 4: Select “Network Adapter” from the list and click “Add”.
Step 5: In the newly added network adapter’s settings, select the virtual switch we created earlier (e.g., “PortMirrorSwitch”) from the dropdown menu.
Step 6: Expand the network adapter settings by clicking the plus (+) icon, then click on “Advanced Features”.
Step 7: In the “Port Mirroring” section, set the “Mirroring Mode” to “Destination” from the dropdown menu.
Step 8: Click “Apply” and then “OK” to save these settings.
Installing and Configuring Traffic Analysis Software
To make use of the mirrored traffic, you’ll need to install traffic analysis software on the destination VM. Wireshark is a popular and powerful option for this purpose.
Step 1: Start the destination VM and log in.
Step 2: Download and install Wireshark from the official website (https://www.wireshark.org/).
Step 3: Once installed, open Wireshark and select the network adapter that’s configured for port mirroring.
Step 4: Click the blue shark fin icon to start capturing packets.
Step 5: Generate some network traffic on your source VM(s) and observe the captured packets in Wireshark on the destination VM.
Troubleshooting Port Mirroring
If you’re not seeing the expected traffic in Wireshark, try these troubleshooting steps:
- Verify that all VMs are connected to the correct virtual switch.
- Ensure that the source VM’s network adapter is set to “Source” and the destination VM’s is set to “Destination” for port mirroring.
- Check that the physical network adapter bound to the virtual switch is functioning correctly.
- Restart the Hyper-V Virtual Machine Management service on the host machine.
- If using Windows Firewall, ensure it’s not blocking the mirrored traffic.
By following these steps, you’ve successfully set up port mirroring in Hyper-V. This powerful feature allows you to monitor and analyze network traffic between your virtual machines, providing valuable insights for troubleshooting and security analysis. Remember to use this capability responsibly and in compliance with your organization’s policies and relevant laws.