Network Monitor and VMware Fusion (vm-natd)

General discussions about Little Snitch
Post Reply

Network Monitor and VMware Fusion (vm-natd)

Post by jbf » Fri Oct 12, 2007 3:24 am

This is half question/half comment, i think :) Just some observations on my part while using the 2.0 beta...

I've noticed some interesting behaviour when using VMware with Little Snitch active. As some background, VMware offers a few different options for networking: NAT, bridged, and host-only. NAT effectively creates a software router, NAT'ing your host machines connection. Bridged bridges the physical connection and makes the VM look just like another machine on the network. Host-only limits the connection to networking with the host.

I use both WinXP and Vista VMs, and normally operate in bridged mode, as things like VPN, etc, tend to work better. I've noticed that this actually bypasses Little Snitch completely, which is expected and fine with me. In NAT mode, Little Snitch will report connection requests for every application (ex: IE, Outlook, etc) within the VM as a request by the NAT daemone (vm-natd), which is also expected.

However, VMware leaves vm-natd running even when you're using bridged mode, and this is where I see some interesting Network Monitor activity--the Network Monitor reports incoming ICMP packets as traffic for vm-natd, though I'm not really sure what's happening to the packets as I'm not presented with a Little Snitch window to accept/reject the 'connection.' Turn on something like Azureues and start downloading a few torrents and suddenly the activity for vm-natd goes crazy with pings from sources all over the place (presumably BitTorrent peers).

Any idea what exactly is happening with this incoming vm-natd traffic that triggers Network Monitor but not the Little Snitch firewall??

Objective Development
Objective Development
Posts: 815
Joined: Fri Nov 10, 2006 4:39 pm

Post by johannes » Sat Oct 13, 2007 3:35 pm

ICMP packages are not bound to specific ports. Whenever a process listens to ICMP packages, it will receive all packages, not only those it is responsible for. It is the process' job to decide whether this was a package it was waiting for or is interested in.

So if vm-natd listens for ICMP packages and any other process starts sending ICMP pings out, the replies to these pings will also be received by vm-natd.

It should discard these packages, but it will still receive them and thus vm-natd is listed in Little Snitch's Network Monitor as having received data.

But as vm-natd was not sending anything (not creating an outbound connection), you don't get the Little Snitch Connection Alert for it.

Post Reply