Mirroring

How to monitor network traffic through a Hyper-V Switch

Create a new Hyper-V Virtual Switch for Mirroring

TIP:

Hyper-V 2016 does not work with most Broadcom/QLogic network cards. To determine if it would be supported in your environment, please follow the steps listed below. Once you have saved your new virtual switch, open Virtual Switch manager again. Expand your new virtual switch and select Extensions. If the NDIS capture box is still checked, your install will be supported. If the box is now unchecked your Broadcom/Qlogic cards are not supported. For other options, please contact us at help@perchsecurity.com.
  1. Identify an open physical NIC on the Hyper-V host to connect to the mirror port you have configured in the switch. If you have a switch capable of RSPAN, you can leverage that instead of a dedicated physical NIC. Please take a look at our Cisco RSPAN documentation for more details.

  2. Open the Hyper-V manager and connect to the desired Hyper-V host to manage

  3. In the right pane, choose Virtual Switch Manager

  4. Create a new External switch by choosing External and clicking Create New Virtual Switch

  5. Name the switch appropriately (e.g. Mirror_Switch)

  6. Choose the same physical NIC you selected in step 1 and designate it as the external NIC to connect to

  7. Choose OK

  8. Open up a PowerShell session on the Hyper-V host and execute the following commands replacing Mirror_Switch on the third command with your desired switch name you selected in step 5.

    $a = Get-VMSystemSwitchExtensionPortFeature -FeatureId 776e0ba7-94a1-41c8-8f28-951f524251b5
    $a.SettingData.MonitorMode = 2
    add-VMSwitchExtensionPortFeature -ExternalPort -SwitchName Mirror_Switch -VMSwitchExtensionFeature $a
    

Note:

These commands will enable the virtual switch to receive packets from the physical mirror port.
  1. In the right pane of Hyper-V manager, choose Virtual Switch Manager again
  2. Select the newly created Mirror_Port switch with the name you designated in step 5
  3. Expand the Virtual Switch by selecting the + next to the switch name
  4. Choose Extensions
  5. Ensure Microsoft NDIS Capture is a selected extension
  6. Click OK to apply the settings and exit the Virtual Switch Manager. Continue onto importing the Hyper-V virtual machine here.