VMNet realtime packet capture

Problem:
VMWare virtual interfaces can not be captured directly using Wireshark

Solution:
The vmnet-sniff command is capable or writing libpcap files which can be read by Wireshark. To capture in realtime the vmnet-sniff output can be written to a UNIX (OSX) pipe which can then be read by Wireshark

Limitations:

• It's a bit fragile. 
• Capture options can not be changed once the capture has started
• Stopping the capture causes vmnet-sniff to exit
• vmnet-sniff and Wireshark must both be restarted once the capture has stopped 

OSX Issues:
vmnet-sniff must be run as root (using sudo). Piping directly to Wireshark is complicated by having to enter an admin password. Running as root (using su -) causes various issues as the root user profile does not persist across sessions. User profiles do not include a PATH to vmnet-sniff.

Copying vmnet-sniff command to a working directory in the home folder can save a lot of typing and access issues. The vmnet-sniff command can be found in \Library\Application/ Support\VMware /Fusion

Example:
Make a working folder. Copy vmnet-sniff. Create the pipe. Launch vmnet-sniff. Launch a new terminal session. In the new terminal launch Wireshark to capture http traffic.

#terminal session 1
md ~/temp
cp vmnet-sniff ~/temp/.
mkfifo ~/temp/capture
cd ~/temp
sudo ./vmnet-sniff -w ~/temp/capture

#terminal session 2
Wireshark -f "tcp port 80" -k -i ~/temp/capture &

#cleanup
rm ~/temp/capture