Check out these great references as well: |
Our custom profiles repository for Wireshark |
Our Udemy course on Wireshark |
Our Udemy course on Wireless Packet capture |
A great question and problem.
The fundamental answer is you can’t. Why? Depends on who you believe. My conclusion is that Wireshark (really dumpcap) has to use either Winpcap in Windows or Libpcap in Linux to access the packet data within the stack. With Virtualbox, there is no path to the packet data that dumpcap can reach, even though the VirtualBox networks/virtual interfaces appear. See the vboxnet intefaces I have below:
Some web sites say the solution is to make sure that VirtualBox promiscous mode is turned on in the VM Network settings. Below I have selected a VM, chosen Settings, then Networking, then Advanced:
In the Promiscous mode – I selected Allow All. Then clicked on OK, and started the VM. It made no difference, I still could not capture this VM traffic on vboxnet0.
A bunch of other sites say to change the Attached to and set a bridged Host Only adapter. But this is also wrong, you can’t do both those things. None of them have screen shots, so that should tell you something too.
So how do we solve the problem? Well, it appears the VirtualBox folks know about this issue and they have provided a “work around”.
Basically you have to start the VM from a terminal, not the VirtualBox interface.
You have to issue two commands: the first starts a packet capture, and the second starts the VM. Caution: the capture is raw and can get big quickly. To stop it, you must shut down the VM.
While this is clunky, it works.
Here is the VirtualBox instruction page:
Here are the Linux commands I used on my lab network:
VBoxManage modifyvm "IPv6Sec-Debian-Host" --nictrace1 on --nictracefile1 /home/awalding/netlog.pcap
VirtualBox -startvm "IPv6Sec-Debian-Host"
After doing my testing, I was able to open the netlog.pcap file in Wireshark, and I was good to go.
I hope you find this article and its content helpful. Comments are welcomed below. If you would like to see more articles like this, please support us by clicking the patron link where you will receive free bonus access to courses and more, or simply buying us a cup of coffee!, and all comments are welcome!