Observer Analyzer : Observer Analyzer : Expert Probe Software : Using the probe as a virtual TAP
Using the probe as a virtual TAP
Learn when to use a virtual TAP, its purpose an benefits, and how to configure them for use in a VMware ESX server.
Prerequisite: Multi or Expert Probe.
The Virtual TAP (sometimes called a vTAP) allows you to configure a virtual tap to monitor traffic within a virtual host environment.
Most virtual environments provide virtual adapters for each virtual machine, and these virtual adapters are logically connected to a virtual switch managed by the virtual host system. The virtual switch manages traffic flow to and from the virtual adapters by mapping each virtual adapter to a physical adapter in the host. When promiscuous mode is enabled on a virtual adapter (or virtual switch), all traffic flowing through the virtual switch—including local traffic between virtual machines and remote traffic from outside the virtual host—is sent to the promiscuous virtual adapter and can be monitored by Observer.
To use the virtual tap you must monitor all virtual machines in a host from a virtual machine within the host. This assumes you can use a SPAN/mirror port or the virtual NIC has a “promiscuous mode” setting. This functionality is available in VMware’s ESX and ESXi. It may also be available in other virtual server products.
Using the virtual TAP, you can then collect and re-direct all traffic internal to the virtual switch to a dedicated virtual NIC within the monitoring virtual machine that is then connected to Observer.
If there is any internal communication between virtual machines, the only way to monitor this data is by using a separate monitoring virtual machine with an analysis service (for instance, probe) gathering data from the internal virtual switch. Should you need to analyze or store data on a GigaStor, installing a Virtual TAP within the monitoring virtual machine provides complete visibility into all data flowing on the internal virtual switch.
You can create a port group on a switch and use a virtual machine (VM1) to monitor traffic of a second virtual machine (VM2) that resides on the same switch but in different port.
Tip! If you already have a 64-bit Windows virtual machine, we suggest you use it, because installing the probe there will be less resource intensive on the host than installing a new virtual machine on the host.
1. Do one of the following:
On the probe: Click the Virtual TAP tab.
In Observer: Select a probe instance, right-click and choose Administer Selected Probe. Then click the Virtual TAP tab.
2. Click Modify to set the source and destination adapters for the virtual tap.
3. Choose your source and destination adapters and select the Enable Virtual Tap option.
You have now configured what you need to within Observer to enable the virtual tap feature, but you must modify a setting for your virtual switch.
4. Set the virtual NIC on the virtual switch within the host in SPAN/mirror mode, sometimes also called promiscuous mode. See your virtual machine’s documentation for further details.