This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Virtual Packet Decoder - Physical Network Tap

Go to solution
Anonymous
Not applicable

‎2016-03-16 01:30 AM

Hi everyone,

 

I'm looking to deploy a Virtual Packet Decoder but using a Physical network tap. There are documents surrounding the use of vSwitch promiscuous mode and Virtual taps, but nothing around physical taps.

 

I do realise that if I use a physical tap that virtual machine will be 'locked' to the physical host and a particular physical interface on that esx host.

 

Has anyone done this before?

Thanks.

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Anonymous
Not applicable

‎2017-01-18 04:06 AM

Hi Kevin,

Sorry to revive a very old thread. I was wondering if you could ask your VM guys what they've configured for the network tap?

I went to move our taps over to the virtual today and was getting nothing.

I configured a separate vSwitch for the physical interfaces and assigned a network card to the VM decoder that was on that switch.

Configured the decoder to capture on that interface in the NetWitness config.

 

I know I'm just missing something really tiny.

Thanks for your help.

View solution in original post

0 Likes
4 REPLIES 4

Go to solution
KEVINDIENST
Beginner
Beginner

‎2016-03-17 04:58 PM

We have a virtualized packet decoder. Our taps feed into aggregation systems by Gigamon. The Gigamon then provides these "raw" feeds as a "datafeed" that we drop to the network card on the decoder. In this instance a virtual NIC associated to the VM. If you want I can reach out to my VM team and see what is configured on the vSwitch side.

0 Likes

Go to solution
Anonymous
Not applicable

‎2017-01-18 04:06 AM

Hi Kevin,

Sorry to revive a very old thread. I was wondering if you could ask your VM guys what they've configured for the network tap?

I went to move our taps over to the virtual today and was getting nothing.

I configured a separate vSwitch for the physical interfaces and assigned a network card to the VM decoder that was on that switch.

Configured the decoder to capture on that interface in the NetWitness config.

 

I know I'm just missing something really tiny.

Thanks for your help.

0 Likes

Go to solution
Anonymous
Not applicable
In response to Anonymous

‎2017-01-24 04:50 PM

I figured out what my issue was. I wasn't seeing any packet traffic on the virtual decoder.

I have to configure VLAN 4095 on the PortGroup in order to see everything the tap was sending to the virtual switch.

Go to solution
KEVINDIENST
Beginner
Beginner
In response to Anonymous

‎2017-01-26 03:53 PM

Good to know! Sorry I didn't get back to you sooner, apologies for that. 

© 2022 RSA Security LLC or its affiliates. All rights reserved.