How to Configure Port Mirroring in vSphere

Port Mirroring in vSphere (also called SPAN or vSphere Distributed Switch Port Mirroring) is a feature that lets you copy network traffic from one or more virtual switch ports and send it to another port for monitoring, analysis, or security inspection.

In simple words it allows you to watch or analyze VM network traffic without interrupting it.

In this lab tutorial we will be configuring port mirroring feature in vSphere.

Lab Environment Overview

Lab Infrastructure:

• ESXi 7.0 Host: 192.168.91.129
• vCenter Server: 192.168.91.130
• Network: 192.168.91.0/24

Lab Objectives:

1. Create a vSphere Distributed Switch (VDS)
2. Configure distributed port groups
3. Set up port mirroring sessions
4. Test and verify traffic mirroring
5. Troubleshoot common issues

Prerequisites:

• Administrative access to vCenter Server
• At least 2 virtual machines for testing
• Network packet analyzer (Wireshark or tcpdump)

What the Lab Covers:

1. Environment Preparation – Accessing vCenter and preparing test VMs
2. Distributed Switch Setup – Creating and configuring VDS (required for port mirroring)
3. Port Group Configuration – Setting up source and monitor port groups
4. Port Mirroring Configuration – Step-by-step session creation
5. Testing & Verification – Using tcpdump/Wireshark to verify mirrored traffic
6. Troubleshooting – Common issues and solutions
7. Performance Testing – Validating capture effectiveness

Part 1: Environment Preparation

Step 1.1: Access vCenter Server

1. Open a web browser and navigate to your vCenter Server:

https://192.168.91.130

2. Log in with your administrator credentials
   • Username: administrator@vsphere.local (or your custom SSO username)
   • Password: [Your vCenter password]
3. Navigate to the vSphere Client interface

Step 1.2: Verify ESXi Host

1. In vCenter, click on Menu → Hosts and Clusters
2. Verify your ESXi host (192.168.91.129) is visible and connected
3. Check host status shows “Connected” with a green icon
4. Note the host version (should be ESXi 7.0.x)

Step 1.3: Prepare Test Virtual Machines

You’ll need at least two VMs for this lab:

• VM1 (Source): The VM whose traffic we’ll mirror
• VM2 (Monitor): The VM that will capture mirrored traffic

If you don’t have these VMs, create them:

1. Right-click on your ESXi host → New Virtual Machine
2. Create two lightweight VMs (minimal Linux or small Windows VMs work well)
3. Ensure both VMs can communicate on the same network

Recommended VM Configuration:

• Small Linux VMs (Ubuntu Server or CentOS minimal)
• 1 vCPU, 2GB RAM each
• 20GB disk space
• Single network adapter

Part 2: Create vSphere Distributed Switch

Port mirroring requires a vSphere Distributed Switch (VDS). Standard switches don’t support this feature.

Step 2.1: Create the Distributed Switch

1. In vCenter, click Menu → Networking
2. Right-click on your datacenter → Distributed Switch → New Distributed Switch
3. Name and Location:
   • Name: Lab-VDS-01
   • Location: Select your datacenter
   • Click Next
4. Select Version:
   • Choose 7.0.0 (to match your ESXi version)
   • Click Next
5. Configure Settings:
   • Number of uplinks: 2 (default)
   • Network I/O Control: Enabled (recommended)
   • Create a default port group: Checked
   • Default port group name: Lab-VDS-01-PG
   • Click Next
6. Ready to Complete:
   • Review settings
   • Click Finish

Step 2.2: Add ESXi Host to Distributed Switch

1. Select your newly created Lab-VDS-01 switch
2. Click the Actions menu → Add and Manage Hosts
3. Select Task:
   • Choose Add hosts
   • Click Next
4. Select Hosts:
   • Click + New hosts
   • Select your ESXi host (192.168.91.129)
   • Click OK, then Next
5. Select Network Adapter Tasks:
   • Check Manage physical adapters
   • Check Manage VMkernel adapters
   • Click Next
6. Manage Physical Network Adapters:
   • Assign at least one physical NIC to the distributed switch uplinks
   • Click on a physical adapter (e.g., vmnic1)
   • Select Assign uplink → choose Uplink 1
   • Click Next
7. Manage VMkernel Adapters:
   • If you have VMkernel adapters to migrate, assign them to appropriate port groups
   • Otherwise, click Next
8. Migrate VM Networking:
   • Skip for now or migrate existing VMs if desired
   • Click Next
9. Impact Analysis:
   • Review the impact (should show no issues)
   • Click Next, then Finish

Step 2.3: Create Additional Port Groups

Create dedicated port groups for our lab:

1. Right-click Lab-VDS-01 → Distributed Port Group → New Distributed Port Group
2. Create Source Port Group:
   • Name: Lab-Source-PG
   • Click Next
   • VLAN type: None (or VLAN 0)
   • Click Next, then Finish
3. Create Monitor Port Group:
   • Repeat the process
   • Name: Lab-Monitor-PG
   • Click Next
   • VLAN type: None
   • Click Next, then Finish

Step 2.4: Configure Monitor Port Group Settings

The monitoring VM requires promiscuous mode enabled:

1. Select Lab-Monitor-PG
2. Click the Configure tab → Settings → Policies
3. Click Edit
4. Expand Security
5. Set the following:
   • Promiscuous mode: Accept
   • MAC address changes: Accept
   • Forged transmits: Accept
6. Click OK

Part 3: Migrate VMs to Distributed Switch

Step 3.1: Move VM1 (Source VM)

1. Go to Menu → VMs and Templates
2. Right-click on VM1 → Edit Settings
3. Click on Network adapter 1
4. Change the network to Lab-Source-PG
5. Click OK

Step 3.2: Move VM2 (Monitor VM)

1. Right-click on VM2 → Edit Settings
2. Click on Network adapter 1
3. Change the network to Lab-Monitor-PG
4. Click OK

Step 3.3: Verify Network Connectivity

1. Power on both VMs
2. Log into each VM
3. Assign IP addresses in the same subnet:
   • VM1: 192.168.91.201/24
   • VM2: 192.168.91.202/24
4. Test connectivity:

# From VM1
   ping 192.168.91.202
   
   # From VM2
   ping 192.168.91.201

Part 4: Configure Port Mirroring

Step 4.1: Create Port Mirroring Session

1. In vCenter, go to Menu → Networking
2. Select Lab-VDS-01
3. Click the Configure tab
4. Select Settings → Port Mirroring
5. Click Add (+ icon)

Step 4.2: Configure Session Parameters

Session Name and Type:

1. Session name: Lab-Mirror-Session-01
2. Session type: Distributed Port Mirroring
3. Normal I/O on destination ports: Not Allowed (recommended)
4. Session enabled: Checked
5. Snapshot length: 65535 (captures full packets)
6. Sampling rate: 1 (captures every packet)

Traffic Direction:

• Select Ingress and Egress (captures both incoming and outgoing traffic)

Click Next

Step 4.3: Select Source Ports

1. Click + Add under Sources
2. Select Ports
3. Expand Lab-Source-PG
4. Select the port that VM1 is connected to
   • You’ll see entries like “Lab-Source-PG-{number}”
   • Find the port showing your VM1’s MAC address or name
5. Click OK
6. Click Next

Note: To identify which port your VM is using:

• Look at the VM name column
• Or check VM’s network adapter details to find the port ID

Step 4.4: Select Destination Port

1. Click + Add under Destinations
2. Select Ports
3. Expand Lab-Monitor-PG
4. Select the port that VM2 is connected to
5. Click OK
6. Click Next

Step 4.5: Complete Configuration

1. Review your settings:
   • Session name: Lab-Mirror-Session-01
   • Type: Distributed Port Mirroring
   • Source: VM1’s port on Lab-Source-PG
   • Destination: VM2’s port on Lab-Monitor-PG
   • Direction: Ingress and Egress
   • Status: Enabled
2. Click Finish

Step 4.6: Verify Port Mirroring Status

1. The new session should appear in the Port Mirroring list
2. Status column should show Enabled
3. Note the Session ID for reference

Part 5: Test Port Mirroring

Step 5.1: Install Traffic Capture Tool on Monitor VM

For Linux Monitor VM:

# Ubuntu/Debian
sudo apt-get update
sudo apt-get install tcpdump

# CentOS/RHEL
sudo yum install tcpdump

# Or install Wireshark for GUI analysis
sudo apt-get install wireshark

For Windows Monitor VM:

• Download and install Wireshark from https://www.wireshark.org/

Step 5.2: Start Packet Capture

On Linux Monitor VM (VM2):

# Capture all traffic on the network interface
sudo tcpdump -i eth0 -w /tmp/mirror_capture.pcap

# Or view traffic in real-time
sudo tcpdump -i eth0 -n

On Windows Monitor VM:

1. Open Wireshark
2. Select your network adapter
3. Click the shark fin icon to start capture

Step 5.3: Generate Traffic from Source VM

On Source VM (VM1):

# Generate ICMP traffic
ping 192.168.91.1 -c 100

# Generate HTTP traffic
curl http://www.example.com

# Generate continuous traffic
ping 8.8.8.8

# Or generate SSH traffic
ssh user@192.168.91.130

Step 5.4: Verify Mirrored Traffic

On Monitor VM (VM2):

You should see traffic from VM1 appearing in your packet capture, including:

• ICMP packets to various destinations
• HTTP requests
• DNS queries
• Any other traffic generated by VM1

Expected output in tcpdump:

14:23:45.123456 IP 192.168.91.201 > 8.8.8.8: ICMP echo request, id 1234, seq 1
14:23:45.145678 IP 8.8.8.8 > 192.168.91.201: ICMP echo reply, id 1234, seq 1
14:23:46.234567 IP 192.168.91.201.52345 > 93.184.216.34.80: Flags [S], seq 123456

Key Observation: You should see traffic between VM1 and external hosts, NOT just traffic between VM1 and VM2. This confirms port mirroring is working correctly.

Part 6: Advanced Configuration Options

Option A: Configure ERSPAN (Encapsulated Remote SPAN)

If you have a remote analyzer, configure ERSPAN:

1. Edit your port mirroring session
2. Change Session type to Encapsulated Remote Mirroring (L3) Source
3. Configure additional parameters:
   • Encapsulation VLAN ID: 100
   • IP Address: [Your remote analyzer IP]
   • Click Next and complete configuration

Option B: Filter Specific Traffic

To mirror only specific traffic types:

1. Some filtering can be achieved using distributed firewall rules
2. Or use VLANs to segment traffic before mirroring
3. Post-capture filtering in Wireshark using display filters:

ip.src == 192.168.91.201
   tcp.port == 80
   icmp

Option C: Multiple Source Ports

To mirror traffic from multiple VMs:

1. Edit your existing port mirroring session
2. In the Sources section, click + Add
3. Select additional ports from the same or different port groups
4. All selected source traffic will mirror to the same destination

Part 7: Monitoring and Troubleshooting

Step 7.1: Verify Port Mirroring Status

In vCenter:

1. Navigate to Lab-VDS-01 → Configure → Port Mirroring
2. Verify session status is Enabled
3. Check source and destination port assignments

Via ESXi Shell/SSH:

# SSH to your ESXi host
ssh root@192.168.91.129

# List distributed switches
esxcli network vswitch dvs vmware list

# View port mirroring configuration
esxcfg-vswitch -l

# Check network statistics
esxtop
# Press 'n' for network view

Step 7.2: Common Issues and Solutions

Issue 1: No Traffic Appearing in Monitor VM

Solutions:

• Verify promiscuous mode is enabled on Lab-Monitor-PG
• Confirm both VMs are powered on
• Check that correct ports are selected as source/destination
• Verify port mirroring session is enabled
• Ensure monitor VM’s network adapter is in promiscuous mode

Issue 2: Partial Traffic Capture

Solutions:

• Check sampling rate is set to 1 (captures every packet)
• Verify snapshot length is 65535 for full packet capture
• Check direction is set to “Ingress and Egress”
• Verify no CPU resource constraints on ESXi host

Issue 3: Cannot Find VM Ports

Solutions:

• Ensure VMs are connected to distributed port groups
• Power on VMs before selecting source/destination ports
• Check VM network adapter is connected (checkbox in VM settings)
• Refresh the port mirroring configuration page

Issue 4: Performance Impact

Solutions:

• Reduce sampling rate if capturing high-bandwidth traffic
• Limit snapshot length to capture only headers (set to 128 bytes)
• Mirror only specific port groups rather than all traffic
• Monitor ESXi host CPU and network utilization

Step 7.3: Verification Commands

On Monitor VM (verify capture):

# Check interface is receiving packets
ifconfig eth0
# Look for RX packets incrementing

# Verify promiscuous mode
ip link show eth0
# Should show PROMISC flag

# Test with tcpdump
sudo tcpdump -i eth0 -c 10
# Should show packets immediately

On ESXi Host (via SSH):

# Check distributed switch configuration
esxcli network vswitch dvs vmware list

# View port statistics
esxcli network port stats get

Part 8: Performance Testing

Step 8.1: Measure Capture Effectiveness

Generate Known Traffic:

# On VM1 (Source)
ping 192.168.91.1 -c 1000 -i 0.1

# On VM2 (Monitor) - count packets
sudo tcpdump -i eth0 icmp | wc -l

Expected: Close to 2000 packets (1000 requests + 1000 replies)

Step 8.2: Bandwidth Test

Install iperf3:

# On both VMs
sudo apt-get install iperf3

Generate Traffic:

# On VM1 - Run server
iperf3 -s

# On another VM - Run client
iperf3 -c 192.168.91.201 -t 30

# On VM2 - Monitor capture
sudo tcpdump -i eth0 port 5201 -w iperf_test.pcap

Analyze the capture to verify all traffic is mirrored.

Part 9: Lab Cleanup (Optional)

Step 9.1: Disable Port Mirroring

1. Navigate to Lab-VDS-01 → Configure → Port Mirroring
2. Select Lab-Mirror-Session-01
3. Click Remove (trash icon)
4. Confirm deletion

Step 9.2: Remove Distributed Switch (Optional)

If you want to return to standard switching:

1. Migrate VMs back to standard switch port groups
2. Remove ESXi host from distributed switch
3. Delete distributed switch

Warning: Only do this if you’re certain you don’t need the VDS.