-
|
I've been using SO2 for over a year now, but it's only a couple of weeks ago that I realized that I wasn't capturing all my traffic. Long story short, after lots of Googling I found out that I had to set my monitoring interface in VMware to VLAN ID 4095. I'm just curious to know if this is something obvious that I missed or if maybe others are in the same situation and don't realize it. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 4 replies
-
|
Based on your previous discussion, is this an issue with Ubiquity sending traffic to ESXi or anything sending VLAN traffic to ESXi? |
Beta Was this translation helpful? Give feedback.
-
|
I haven't done much reading on it, but it seems to be related to ESXi only sending certain traffic (tagged vs untagged?) through a virtual switch. By setting VLAN ID 4095, it will send all traffic through. The answer I found in my earlier post was from Ubiquiti which is the setup I have, but I'm guessing it's not a problem unique to Ubiquiti/Unifi. I would definitely be curious to hear from other users if they've experienced this because in my case when I performed NIDS testing (https://docs.securityonion.net/en/2.3/managing-alerts.html), I got the response I expected, so I assumed all was good to go. It's only a year later when I actually had to dig into my alerts/PCAPs that I noticed that I was missing lots of traffic. If it ends up that others are in the same situation, could I suggest adding a mention of the VLAN ID 4095 in the docs somewhere? |
Beta Was this translation helpful? Give feedback.
-
|
I've added a warning to the docs on the VMware page: |
Beta Was this translation helpful? Give feedback.
-
|
For newer versions of vsphere (7.*?), you might need to choose VLAN Trunking and use the range 0-4094. 4095 is no longer a valid option. Setting promiscuous mode, MAC address changes, and forged transmits all to accept seems to make sense to. DOing these things should allow you to see all traffic passing through the vSwitch only on the host that the sensor resides on. In my environment, I have a sensor pinned to each host. |
Beta Was this translation helpful? Give feedback.
-
|
I'm not sure about yours, but my vCenter Server (7.0) still shows 4095 as an option, and actually labels it as "All" VLANs. You won't see it on ESXi though, but it works there too. I have multiple ESXi 7.0 hosts setup with network trunks on VLAN 4095 and they all work perfectly. Also, AFAIK you should only need to allow promiscuous mode to sniff packets. MAC address changes and forged transmits I don't believe are necessary. |
Beta Was this translation helpful? Give feedback.
-
|
true, unless you are using bonded interfaces as per #2676 |
Beta Was this translation helpful? Give feedback.
Based on your previous discussion, is this an issue with Ubiquity sending traffic to ESXi or anything sending VLAN traffic to ESXi?