鵝前幾天在user的Guest上跑sniffer,原本只是要觀察自己的traffic的,卻意外發現如果開了promiscous mode,sniffer竟然可以看到同個Virtual Switch上別人的Unicast traffic(i.e. source/destination都不是該Guest,而且也不是broadcast的traffic),照說Virtual Switch既然字面上叫Switch,應該就不會有此類特異功能,而且Virtual Switch既然是virtual出來的,原理上應該是靠Hypervisor判斷須要往哪個Guest forward,才往那個Guest forward,不太可能像Hub一樣統統有獎,那為啥會看到別人的traffic呢,不知有沒有邦友遇過類似的狀況啊....
By default, a guest operating system's virtual network adapter only receives frames that are meant for it. Placing the guest's network adapter in promiscuous mode causes it to receive all frames passed on the virtual switch that are allowed under the VLAN policy for the associated portgroup. This can be useful for intrusion detection monitoring or if a sniffer needs to analyze all traffic on the network segment.
一般認知中,實體switch只會把traffic往須要的port forward,除非開了mirror port,另一端的NIC就算開了promiscous mode也看不到別人的unicast traffic,但據VMware的knowledge base所言,似乎只要Guest的NIC進入promiscous mode,vSwitch就會把所有traffic forward過去(類似mirror port),這不太合理(除非能關掉,或說default的行為模式應該相反),因為Host的管理者未必會知道Guest上的AP在幹啥,如果按照目前看到的行為模式,那vSwitch應該改叫vHub才比較符合一般的認知吧....
Dear CM兄:
有沒有試過關掉這個看看: