VMware: Spurious http traffic

pts.
Tags:
Firewall management
Virtual OS
VMware
VMware Authorization Service
VMware DHCP Service
VMware NAT Service
Hi folks, Since I installed VMware in my laptop (to be able to demo some products while on the field), I have noticed in the firewall logs that my laptop is sending an awful lot of http traffic (tcp/80). I use a squid proxy server integrated in the firewall and (valid) web traffic needs to go through a different port. So when I see blocked port 80 requests in the firewall logs, I worry. It's usually something misconfigured, but also could be backdoors or esp adware/spyware.. I have run MS-AntiSpyware and found nothing suspicious. I also use Kaspersky Anti-virus with the additional spyware bases and again found (or let through) anything suspicious. VMware (v4.5.2-build 8848) virtual NIC is configured on Bridged mode. Funny thing is that it happens even with VMware not running (i.e. virtual machines powered off), although I have noticed three VMware processes running always (VMware NAT Service, VMware DHCP Service and VMware Authorization Service). The virtual OS I have installed is WinXP Pro SP2 with all patches. The host OS is also WinXP Pro SP2 with all patches. It may not be related at all with VMware, but I would appreciate if any of you have experienced a similar problem and what solution you've found (short of uninstalling VMware, that is :-) Cheers Hedgehog.

Answer Wiki

Thanks. We'll let you know when a new response is added.

This sounds similar to what I have seen on my VMWare — not exactly, but similar.

I was seeing lots of dropped port 137 traffic for addresses in the 192.168.x.x range, and thought we had a misconfigured PC on our network with some default IP address. I finally realized that VMWare configures a couple of virtual network adapters in Windows using the 192.168.x.x private range for its virtual networks. The rogue PC was mine!

This broadcast traffic was being sent out all of the adapters (real andvirtual), and the server was trying to respond, but it was going to the gateway on our network (firewall/router) and was being dropped. As soon as I disabled the virtual adapters in Network Connections, the dropped traffic stopped.

I’m not sure if the port 80 traffic you are seeing is in the same vein or not. Hope this helps a little.

Discuss This Question: 2  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Hedgehog
    Hi JeffJAG, Thanks for your answer. Most of the spurious traffic I see seems to go to Microsoft (Microsoft has several networks in the 207.46.x.x and the 64.4.x.x ranges, which is where most requests seem to be going). I bet it's some stupid auto-update or sth like that. There was also some traffic on UDP/3544 so I had to disable IPv6 in the laptop (it's installed along with the advanced networking pack and tries to use a MS gateway for tunneling IPv6 in IPv4 - typical MS...) How did you disabled the VMware virtual adapters? Did that affect the bridged connection to the host machine? I ask because I need to have network access to the main LAN from within the virtual OS... Thanks, Hedgehog.
    0 pointsBadges:
    report
  • WebTrekker
    By default the installer creates two additional adapters, VMNET1 and VMNET8. These are used for DHCP and host only connections and are quite active. If you don't need them, you can disable them in the control panel to cut back on network traffic. I don't know this for a fact, but I believe that VMWare has a "keep-alive" going on these connections. The other thing that occurs is that with Windows clients, the Master Browser thing is always active and pinging, which can really tie up system resources. Finally, the "shared folders" thing is as chatty as NFS is on Unix andyou can cut down on a lot of network traffic by turning it off. Don't know if this will help at all - hope so =P
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following