Software within a virtual machine can be used to monitor or capture network traffic passing through a vSwitch Portgroup on the same ESX/ESXi host. Traffic may be limited to the traffic intended for other virtual machines on the same host, or come from a mirrored port on an upstream physical switch.
Configuration and the usage of the third-party monitoring software within a virtual machine, or upstream switch configuration, is outside the scope of this article.
Capturing and monitoring of network traffic using third-party monitoring software within a virtual machine is only possible if the network traffic is made available to that virtual machine.
The default security policy for VMware vSphere virtual machines denies the usage of promiscuous mode to capture traffic on a vSwitch portgroup. Traffic that is not addressed to the monitoring virtual machine's network interface's MAC address is not be received or captured by the virtual machine or the third-party monitoring software. For more information, see How promiscuous mode works at the virtual switch and portgroup levels (1002934) and Advanced Networking in the Basic System Administration guide for your version of ESX/ESXi.
To capture or monitor network traffic exposed to the ESX/ESXi host on a specific portgroup:
To capture or monitor network traffic external to the ESX/ESXi host, additionally:
When a virtual machine attempts to utilize promiscuous mode in violation of the defined vSwitch and Portgroup security policy, the attempt is denied and logged by the ESX/ESXi host. For more information, see Identifying virtual machines attempting to use promiscuous network mode on ESX/ESXi (1023341).
How promiscuous mode works at the virtual switch and portgroup levels