An ESXi host that uses only a standard vSwitch is hosting two production VMs that appear to be exchanging suspicious traffic. A security administrator deploys a new virtual appliance named Sniffer-VM and installs Wireshark on it. The goal is to capture every Ethernet frame that traverses the virtual switch-even frames that are not addressed to Sniffer-VM's own MAC address-so the packets can be analyzed for signs of lateral movement. No physical taps, distributed switches or additional agents are available.
Which single vSwitch or port-group setting must the administrator change to make this packet capture possible?
Configure LACP on the physical uplinks and make Sniffer-VM's vNIC an active link.
Enable jumbo frames (MTU 9000) on the vSwitch and on Sniffer-VM.
Set the port group that contains Sniffer-VM to Accept promiscuous mode and attach the appliance's vNIC to that group.
Move Sniffer-VM's vNIC to a VMkernel port that is configured for iSCSI storage traffic.
By default, a vSphere standard switch delivers a frame only to the virtual machine whose MAC address matches the frame's destination. When the security exception "Promiscuous mode" is set to Accept on a port group (or on the entire standard vSwitch), the switch stops filtering destination MAC addresses and forwards all frames it sees to any VM that is connected to that port group and has a NIC in promiscuous mode. Attaching Sniffer-VM's vNIC to such a port group lets Wireshark observe the intra-vSwitch traffic between the suspect VMs without any additional hardware. Enabling jumbo frames, moving the NIC to a VMkernel iSCSI port, or configuring LACP on the uplinks does not override the switch's normal destination-MAC filtering and therefore will not expose the required packets.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is promiscuous mode in a vSwitch?
Open an interactive chat with Bash
Why can’t jumbo frames or LACP configuration capture intra-vSwitch traffic?
Open an interactive chat with Bash
How does Wireshark work with a NIC in promiscuous mode?