Observer Analyzer : Expert Probe Software : Using the probe as a virtual TAP
   
Using the probe as a virtual TAP
 
Page Contents
When to use a virtual TAP
Configuring VMware ESX Server
Revised: 2016-03-07
Learn when to use a virtual TAP, its purpose an benefits, and how to configure them for use in a VMware ESX server.
Prerequisite: Multi or Expert Probe.
The Virtual TAP (sometimes called a vTAP) allows you to configure a virtual tap to monitor traffic within a virtual host environment.
Most virtual environments provide virtual adapters for each virtual machine, and these virtual adapters are logically connected to a virtual switch managed by the virtual host system. The virtual switch manages traffic flow to and from the virtual adapters by mapping each virtual adapter to a physical adapter in the host. When promiscuous mode is enabled on a virtual adapter (or virtual switch), all traffic flowing through the virtual switch—including local traffic between virtual machines and remote traffic from outside the virtual host—is sent to the promiscuous virtual adapter and can be monitored by Observer.
To use the virtual tap you must monitor all virtual machines in a host from a virtual machine within the host. This assumes you can use a SPAN/mirror port or the virtual NIC has a “promiscuous mode” setting. This functionality is available in VMware’s ESX and ESXi. It may also be available in other virtual server products.
Using the virtual TAP, you can then collect and re-direct all traffic internal to the virtual switch to a dedicated virtual NIC within the monitoring virtual machine that is then connected to Observer.
If there is any internal communication between virtual machines, the only way to monitor this data is by using a separate monitoring virtual machine with an analysis service (for instance, probe) gathering data from the internal virtual switch. Should you need to analyze or store data on a GigaStor, installing a Virtual TAP within the monitoring virtual machine provides complete visibility into all data flowing on the internal virtual switch.
You can create a port group on a switch and use a virtual machine (VM1) to monitor traffic of a second virtual machine (VM2) that resides on the same switch but in different port.
Tip! If you already have a 64-bit Windows virtual machine, we suggest you use it, because installing the probe there will be less resource intensive on the host than installing a new virtual machine on the host.
1. Do one of the following:
On the probe: Click the Virtual TAP tab.
In Observer: Select a probe instance, right-click and choose Administer Selected Probe. Then click the Virtual TAP tab.
2. Click Modify to set the source and destination adapters for the virtual tap.
3. Choose your source and destination adapters and select the Enable Virtual Tap option.
You have now configured what you need to within Observer to enable the virtual tap feature, but you must modify a setting for your virtual switch.
4. Set the virtual NIC on the virtual switch within the host in SPAN/mirror mode, sometimes also called promiscuous mode. See your virtual machine’s documentation for further details.
 
 
When to use a virtual TAP
Monitoring network and application traffic in a virtualized environment containing one-to-many relationships between physical hardware devices (virtual hosts) and virtual application servers (virtual machines) presents a number of concerns.
Virtual environments are designed to include a virtual adapter (vNIC) for each virtual machine within the system. The vNIC is logically connected to a virtual switch, which is managed by the virtual host system (see the diagram below). This addresses communication which would remain in the VM host. In order to enable communication into and out of the VM host, a logical connection between the vNIC and the pNIC must be established.
Depending on the virtual server technology you have decided to implement, you have a number of options for network and application traffic visibility, and for the use of external devices for analysis. If all virtual machine communications take place between the virtual machines and the “outside” (i.e., outside the physical host), then monitoring the data flow from outside the host server may be the least complicated method by which to gain flow visibility. If there is any internal communication between virtual machines, the only way to monitor this data is by using a monitoring virtual machine (separate or existing) with an analysis service (i.e., probe) gathering data from the internal virtual switch. Should you need to analyze or store data on an external purpose-built device, installing a virtual TAP within the monitoring virtual machine provides complete visibility into all data flowing on the internal virtual switch.
Within the VMware ESX and ESXi environments, a virtual adapter can be set in “promiscuous mode.” When promiscuous mode is enabled on a virtual adapter, all traffic flowing through the virtual switch—including local traffic between virtual machines and remote traffic originating from outside the virtual host—is sent to the promiscuous virtual adapter.
A number of challenges are presented when attempting to monitor applications with a virtualized environment.
1. Lack of visibility. Traffic between virtual machines within a virtual host will not be visible outside of the host. This causes a number of problems:
a. Network engineers cannot monitor multi-tier applications partially or wholly located on multiple virtual machines within a single host.
b. Should a virtual machine be compromised by malicious code or security breach, other virtual machines within the same host may also be compromised.
2. Lack of analysis functionality. A separate solution is required to push data streams flowing within virtual machines out to an external tool or a purpose-built device. This functionality is necessary for network and application monitoring and analysis, compliance, and security audits. Virtual TAPs (software applications placed inside a virtual machine to export all data through a designated pNIC to an external device) can alleviate this problem.
Options
Created: 2014-04-17
The goal is to not only see all traffic flowing within a VM host but also export that data for powerful analytics and reporting. There are three primary ways to monitor both traffic flow from within applications on virtual machines and from the virtual host.
1. Monitor the host using an external analysis device as you would any other system, via SPAN technology or a physical TAP. This option works well for environments not needing to track internal virtual machine-to-machine traffic within a host. However, it may not catch a security breach compromising multiple virtual machines within a host.
2. Monitor all virtual machines in a host by establishing a new virtual machine within the host. This option assumes the ability to SPAN or set in promiscuous mode the virtual switch within the host. This option provides visibility at the statistics and packet levels of all traffic within a virtual host. It does not, however, allow packet-level traffic to be analyzed by an external physical device (IDS, retrospective analysis device, etc.).
3. Use a virtual TAP to collect and redirect all internal virtual machine traffic to a dedicated virtual NIC within the monitoring virtual machine that is connected to an external purpose-built device for analysis or compliance enforcement. Depending on the functionality of the external device the traffic is being copied to, this option may provide all the functionality of option two while taking advantage of the physical capabilities of the purpose-built external device.
Option two combined with option three offers the most extensive and comprehensive monitoring solution. In a VMware environment, you can use promiscuous mode on the internal virtual switch and direct a copy of all traffic from all virtual machines to a virtual machine monitoring instance. This allows you to collect metrics and perform real-time analysis; and using a virtual TAP, you can re-direct packet streams out a separate NIC to a GigaStor probe.
Benefits of a virtual TAP
Created: 2014-04-17
Mirroring all traffic within a virtual host to an external device provides a number of advantages, including total visibility into VM application traffic and the ability to run greater analytics for comprehensive reporting and faster problem resolution.
For example:
Application Performance Monitoring. Feed VM traffic to an enterprise reporting engine for comprehensive monitoring of virtualized environments. Set and track performance baselines and respond quickly when performance deviates from the norm. Tracking VM traffic over time helps determine if your VM server load has increased to the point of requiring action.
Application Performance Troubleshooting. The virtual TAP can also output data to a GigaStor probe, which stores it for later access. The GigaStor can help isolate problems within your virtual environment and troubleshoot these issues using Application Analytics.
The Virtual TAP option bridges the visibility gap, allowing complete real-time analysis, Retrospective Network Analysis, and full-scale reporting on all virtualized traffic.
Configuring VMware ESX Server
Revised: 2016-01-14
A virtual machine is a convenient way to add monitoring capabilities to your network. Use this information to create a virtual switch.
Your virtual machine meets the minimum specifications
Multi or Expert Probe is installed
A free physical NIC
The default policy for Promiscuous Mode for the vSwitch itself should remain in the Reject setting. Only the new port group within the vSwitch should be set to Accept Promiscuous mode. You can use the virtual machine properties dialog to identify the Network Connection, listed in the Windows Network Connections dialog, by unchecking the “connected” option.
In the virtual switch to be monitored, add a virtual port group and set it to run in Promiscuous Mode.
Caution: Do not choose the same source and destination for the Virtual TAP Settings. This could cause broadcast/multicast loops and would noticeably impact your network.
1. Open VI Client and highlight the VMware ESX Server Entry.
2. Click the Configuration tab.
3. Click Hardware – Choose Networking.
4. Find the vSwitch for which you would like to monitor traffic and choose Properties.
5. In the vSwitch Properties dialog (Ports tab), click Add.
6. In the Add Network wizard, choose Virtual Machine [port group], give the group a name (“Promiscuous Port Group”), and finish the wizard.
7. In the vSwitch Properties dialog, highlight the new port group and click Edit.
8. Click the Security tab.
9. Select the Promiscuous Mode Policy Exception option and change the list to Accept.
Figure 78: VMware ESX Server
Figure 79: vSwitch Properties
10. Setup a second virtual switch and bind a second physical NIC to that virtual switch.
See Figure 79 Virtual Infrastructure Client > Configuration tab. Then see Figure 81 Add Networking > Add Network Wizard > Virtual Machine.
11. Create a virtual switch.
12. Select the appropriate NIC entry (i.e. Physical NIC 2 on ESX Server).
13. Name the vSwitch (i.e. “vTAP OUT to GigaStor”) and finish.
The result should be similar to Figure 80. See your VMware ESX Server documentation if you need more detailed information on adding a virtual switch.
Figure 80: VMware Add Network Wizard
14. Edit the Virtual Machine that contains the Observer to use the Port Monitor Group and second vSwitch.
15. Select the first network adapter.
16. Change the Network label to the new Port Monitor Group, and add a second virtual NIC if needed.
17. Select the second virtual NIC and change the Network label to the second vSwitch (i.e., vTAP OUT to GigaStor) and click OK.
18. Verify that the Virtual Machine containing Observer is located in both virtual switches.
Figure 81: Virtual Machine Properties
19. Within the virtual machine, setup Observer to VTAP Local Area Connection 1 to Local Area Connection 2.
20. Connect the cable from “NIC 2” on the VMware ESX Server to the GigaStor capture card.