Switches

How to monitor network traffic through a Hyper-V Switch

Create a new Hyper-V Virtual Switch for Mirroring

DUE TO ISSUES WITH THE MICROSOFT NDIS CAPTURE STACK IN HYPER-V, PERCH HAS DROPPED SUPPORT FOR HYPER-V 2016 UNTIL A PERMANENT FIX HAS BEEN IDENTIFIED.

  1. Identify an open physical NIC on the Hyper-V host to connect to the mirror port you have configured in the switch. If you have a switch capable of RSPAN, you can leverage that instead of a dedicated physical NIC. Please take a look at our Cisco RSPAN documentation for more details.
  2. Open the Hyper-V manager and connect to the desired Hyper-V host to manage.
  3. In the right pane, choose Virtual Switch Manager.
  4. Create a new External switch by choosing External and clicking Create New Virtual Switch
  5. Name the switch appropriately (eg. Mirror_Switch).
  6. Choose the physical NIC identified in step 1 as the external NIC to connect to.
  7. Choose OK
  8. Open up a PowerShell session on the Hyper-V host and execute the following commands replacing Mirror_Switch on the third command with your desired switch name set in step 5.
    $a = Get-VMSystemSwitchExtensionPortFeature -FeatureId 776e0ba7-94a1-41c8-8f28-951f524251b5
    $a.SettingData.MonitorMode = 2
    add-VMSwitchExtensionPortFeature -ExternalPort -SwitchName Mirror_Switch -VMSwitchExtensionFeature $a These commands will enable the virtual switch to receive packets from the physical mirror port.
  9. In the right pane of Hyper-V manager, choose Virtual Switch Manager again.
  10. Select the newly created Mirror_Port switch as named in step 5.
  11. Expand the Virtual Switch by selecting the + next to the switch name.
  12. Choose Extensions.
  13. Ensure Microsoft NDIS Capture is a selected extension.
  14. Click OK to apply the settings and exit the Virtual Switch Manager
    Continue onto importing the Hyper-V virtual machine [here](/sensors/setting-up-a-hyperv-sensor/)