From owner-freebsd-net@FreeBSD.ORG Wed Aug 28 06:10:08 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 297A915F for ; Wed, 28 Aug 2013 06:10:08 +0000 (UTC) (envelope-from carlopmart@gmail.com) Received: from mail-wg0-x234.google.com (mail-wg0-x234.google.com [IPv6:2a00:1450:400c:c00::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id B5C662CFC for ; Wed, 28 Aug 2013 06:10:07 +0000 (UTC) Received: by mail-wg0-f52.google.com with SMTP id l18so4226511wgh.31 for ; Tue, 27 Aug 2013 23:10:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=YV5nPs9z78furruCfwwpIiHAxlQ2gFzgdoGE7b2YIp0=; b=msBgt7FuEJyNDIRCA1mjC/XNE6cEaJ3hYRf3YCO6w5ua6X1Ddtew3DwGWEu/SC1+r1 TZYt1ur8wMlAl3AGD0r7T9pK+LaCzkp+N5ZeoSL+f6+RbhpXf3CeciifOEwUjWLVfJt+ l9L8qhoLU5FGFY0UzM+JkFFH0G3AhCpo3VYJFRmDEvKkTftucx4DQR5qlrZCZOIgMd0u VMD9quhf3Xmive7MqVQO68/F6dE8fiIbXpJvzkE+WfDClBwGw5Ihmg0jGLXS2+DBlOv3 ZtzawFHNMm2Zyjz3+nFFphMrheFEu466HWppimrDSagzeb86pxRxKP1+VWUxA1vwvXrd 4bkw== MIME-Version: 1.0 X-Received: by 10.194.120.68 with SMTP id la4mr9296316wjb.33.1377670205945; Tue, 27 Aug 2013 23:10:05 -0700 (PDT) Received: by 10.194.46.33 with HTTP; Tue, 27 Aug 2013 23:10:05 -0700 (PDT) In-Reply-To: References: <5219ECBD.4040209@gmail.com> Date: Wed, 28 Aug 2013 06:10:05 +0000 Message-ID: Subject: Re: Options to monitor/sniff network traffic under a vm From: "C. L. Martinez" To: freebsd-net@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Aug 2013 06:10:08 -0000 On Tue, Aug 27, 2013 at 10:26 PM, John Nielsen wrote: > On Aug 25, 2013, at 5:38 AM, carlopmart wrote: > >> I need to monitor/sniff network traffic for three subnets (1 GiB nets) a= nd I need to do this using a virtual guest under an ESXi 5 host (yes, it is= a "handicap"). > > Not sure about your questions below, but doesn't ESXi 5 support port mirr= oring in the virtual switch? That seems like a better place to do most of t= he heavy lifting. You could still attach your FreeBSD instance to the monit= or port(s) for analysis. That would hopefully help at least with a) by redu= cing the number of virtual NICs needed. > Thanks John for your answer, but I can't use distributed switches in this ESXi server because is a standalone server (distributed vswitches are only available when you manage more than tow ESXi servers using clustering features and is the only option to do port mirroring. Using a standalone server you can enable promisc in a vswitch and use an external tap to see all traffic, but that's not the problem actually: I can see all traffic in this freebsd vm). About nics: I can't reduce the number of virtual NICs. I need to use six to monitor six different subnets ... And here is the problem with IRQs.