How to monitor network traffic through a Hyper-V Switch
DUE TO ISSUES WITH THE MICROSOFT NDIS CAPTURE STACK IN HYPER-V, PERCH HAS DROPPED SUPPORT FOR HYPER-V 2016 UNTIL A PERMANENT FIX HAS BEEN IDENTIFIED.
- Identify an open physical NIC on the Hyper-V host to connect to the mirror port you have configured in the switch. If you have a switch capable of RSPAN, you can leverage that instead of a dedicated physical NIC. Please take a look at our Cisco RSPAN documentation for more details.
- Open the Hyper-V manager and connect to the desired Hyper-V host to manage.
- In the right pane, choose Virtual Switch Manager.
- Create a new External switch by choosing External and clicking Create New Virtual Switch
- Name the switch appropriately (eg. Mirror_Switch).
- Choose the physical NIC identified in step 1 as the external NIC to connect to.
- Choose OK
- Open up a PowerShell session on the Hyper-V host and execute the following commands replacing Mirror_Switch on the third command with your desired switch name set in step 5.
$a = Get-VMSystemSwitchExtensionPortFeature -FeatureId 776e0ba7-94a1-41c8-8f28-951f524251b5
$a.SettingData.MonitorMode = 2
add-VMSwitchExtensionPortFeature -ExternalPort -SwitchName Mirror_Switch -VMSwitchExtensionFeature $a These commands will enable the virtual switch to receive packets from the physical mirror port.
- In the right pane of Hyper-V manager, choose Virtual Switch Manager again.
- Select the newly created Mirror_Port switch as named in step 5.
- Expand the Virtual Switch by selecting the + next to the switch name.
- Choose Extensions.
- Ensure Microsoft NDIS Capture is a selected extension.
- Click OK to apply the settings and exit the Virtual Switch Manager
Continue onto importing the Hyper-V virtual machine [here](/sensors/setting-up-a-hyperv-sensor/)