So while ESX 3.5 (not sure about i) may have tcpdump and tcpslice:
[root@esx root]# tcp
tcpd tcpdump tcpslice
They’re of limited use, at least with the way ESX implements networking, vSwitches after all, are good and proper layer 2 devices. Now, that is not to say you couldn’t do something with arp poisoning, but… that’s cheating. Well, maybe not so much, but guest methods of doing this are a bit beyond scope, and frankly, depending on VLANS, Port groups, etc, could be hard to manage, and may place undue stress on the ESX server (all those nasty poisoned arp requests, and keeping track of them, etc. ).
So there is an answer: Solera V2P tap
This works essentially the same as any other network tap would and exposes all of the traffic on the virtual switch to your existing auditing/security infrastructure. Post in the comments if there is interest in me covering some guest methods for getting the same info.
Is this any different than a VM running on a portgroup with VLAN ID 4095 ?
Yes! So, with 4095 & VGT enabled you'd still have to have promisc mode
enabled, mac change enabled, and do some crazy arp stuff to hear the traffic
on other (virtual) ports. Remember, vSwitches are normal layer 2 devices and
would be treated as such from a security/sniffing point of view.
That said, I'll thow up a port group with 4095 and see what I can see.
Yes! So, with 4095 & VGT enabled you'd still have to have promisc mode
enabled, mac change enabled, and do some crazy arp stuff to hear the traffic
on other (virtual) ports. Remember, vSwitches are normal layer 2 devices and
would be treated as such from a security/sniffing point of view.
That said, I'll thow up a port group with 4095 and see what I can see.