emscom > emscom Help Desk > Knowledgebase

Search help:

VMNet realtime packet capture


VMWare virtual interfaces can not be captured directly using Wireshark

The vmnet-sniff command is capable or writing libpcap files which can be read by Wireshark. To capture in realtime the vmnet-sniff output can be written to a UNIX (OSX) pipe which can then be read by Wireshark


  • It's a bit fragile. 
  • Capture options can not be changed once the capture has started
  • Stopping the capture causes vmnet-sniff to exit
  • vmnet-sniff and Wireshark must both be restarted once the capture has stopped 

OSX Issues:
vmnet-sniff must be run as root (using sudo). Piping directly to Wireshark is complicated by having to enter an admin password. Running as root (using su -) causes various issues as the root user profile does not persist across sessions. User profiles do not include a PATH to vmnet-sniff.

Copying vmnet-sniff command to a working directory in the home folder can save a lot of typing and access issues. The vmnet-sniff command can be found in \Library\Application/ Support\VMware /Fusion

Make a working folder. Copy vmnet-sniff. Create the pipe. Launch vmnet-sniff. Launch a new terminal session. In the new terminal launch Wireshark to capture http traffic.

#terminal session 1
md ~/temp
cp vmnet-sniff ~/temp/.
mkfifo ~/temp/capture
cd ~/temp
sudo ./vmnet-sniff -w ~/temp/capture

#terminal session 2
Wireshark -f "tcp port 80" -k -i ~/temp/capture &

rm ~/temp/capture


Was this article helpful? yes / no
Related articles Wireshark capture remotely
Sky broadband with 3rd party router
Article details
Article ID: 13
Category: Linux
Date added: 08-05-2011 08:06:15
Views: 2235
Rating (Votes): Article rated 3.1/5.0 (42)

« Go back

Powered by Help Desk Software HESK, in partnership with SysAid Technologies