Bridge network to capture connections from VM with Arch and VirtualBox

symon · 2014-06-25 14:09:54

Hello everyone,
what I am trying to do is capturing the connections from a VM for malware analysis. It turned out to be a little harder then I thought because I'm absolutely new to arch.
So what I thought of: Just have a normal host adapter and sniff. But it turned out that the VM does not have a dedicated adapter.
So the obvious next step would be to create one. I did that via the Host-Only-Adapter menu.

The problem is, that this is not connected to the internet as it is for the guest only. So what I thought to do was bridging it to my wls1-interface wich is connected to a WiFi.
My normal way would be:

brctl addbr capture
brctl show 
brctl addif capture wls1
brctl addif capture vboxnet0

But that does not work with wls1 (it is refused to be linked to that bridge though enp0s25 works well).

The second thing I thought of was using netctl to build a bridge. This is what I put in /etc/netctl/bridge

Description="vmbridge"
Interface=br0
Connection=bridge
BindsToInterfaces=(wls1 vboxnet0)
IP=dhcp
## Ignore (R)STP and immediately activate the bridge
#SkipForwardingDelay=yes

But the command "sudo netctl start bridge" is just crashing my internet connection.

So how could I do this in the possibly best and most stable way?

Thanks for your help

Lekensteyn · 2014-06-25 17:23:30

As you have found out, you cannot create a (Ethernet) bridge with a wireless interface. That is not going to work, whether you use brctl directly, or netctl.

If you would like to setup everything quickly and do not mind capturing everything (including host traffic), then just run dumpcap/tcpdump on the wireless interface.

If you are not stuck to VBox, try QEMU. Example command:

qemu-system-x86_64 -enable-kvm -m 2G -hda disk.qcow2 -net dump,file=dump.pcap -net user -net nic,model=e1000

-enable-kvm: enable KVM virtualization acceleration (requires Intel VT-x or the AMD equivalent). Remove if your machine does not support it.
-m 2G: assign 2GB RAM
-hda disk.qcow2: disk image created with qemu-img create -f qcow2 disk.qcow2 16G (16 GB disk image)
As you need to tap on the network, let QEMU create a hub network with three devices:
- -net dump,file=...: hub network with
- -net user: the host connection (you could also use tap, bridge, etc. if needed)
- -net nic,model=...: the guest network connection

See the manual page qemu and the wiki for further details.

symon · 2014-06-28 13:29:52

Thank you very much for your help.
Just in case I was trying to stick to VMWare and just use the enp0s25 wired adapter. How would it work with netctl to create an internal network (lets say 10.0.2.0/24) with the vboxnet0 and the enp0s25 adapter but still letting the wired adapter be present on my wired network as 192.168.0.11 (like the dhclient got when connecting)?

hendry · 2015-09-14 10:45:21

I have the same problem as you symon. Trying to work out how to wireshark Virtualbox.

http://s.natalian.org/2015-09-14/1442226849_544x344.png
http://s.natalian.org/2015-09-14/vboxnet.png

Did you ever figure it out?

WorMzy · 2015-09-17 10:16:44

Please don't necrobump, hendry. Open a new thread about your problem and link back to this one if it is relevant.

Closing.

Arch Linux

#1 2014-06-25 14:09:54

Bridge network to capture connections from VM with Arch and VirtualBox

#2 2014-06-25 17:23:30

Re: Bridge network to capture connections from VM with Arch and VirtualBox

#3 2014-06-28 13:29:52

Re: Bridge network to capture connections from VM with Arch and VirtualBox

#4 2015-09-14 10:45:21

Re: Bridge network to capture connections from VM with Arch and VirtualBox

#5 2015-09-17 10:16:44

Re: Bridge network to capture connections from VM with Arch and VirtualBox

Board footer