I’m teaching a Security Fundamentals course this semester and we’ve gotten to the point where we’re talking network security. In particular, we’re talking about using Wireshark to monitor and trace networks. I’ve found an interesting and useful little feature in VirtualBox.
Virtual Network Cards
VirtualBox, like most virtual machine managers, emulates network interface cards. So… how can I go about tracing these interfaces? The neat feature is that we can use the command-line management tool to capture all traffic on one of these virtual interfaces.
Step 1: Turning on network capture
Let’s trace traffic on the first virtual network interface:
VBboxManage modifyvm "ubuntu" -nictrace on -nictracefile1 vmtracefile.pcap"
This turns on the tracing of the first network interface in the “ubuntu” virtual machine. At this point you start the VM and duplicate whatever situation you need to test.
Step 2: Turning off network capture
When you’re done, you turn off the tracing with the command:
VBoxMange modifyvm "ubuntu" -nictrace off
A few caveats
Don’t forget to turn off tracing as it’s both a security risk and the trace files can get very large. The VirtualBox documentation suggests the use of snapshots in combination with this feature to keep track of what you’re doing and minimize the window in which tracing is left on.
Lessons learned
Look closely at the underlying command-line interfaces for your virtual machine manager. One can find many very interesting features and tools hiding underneath the covers of the GUI.
Selah.