Enabling Promiscous Mode on Linux for VMWare Workstation

Last updated on 
Enabling Promiscous Mode on Linux for VMWare Workstation

On Linux (and most operating systems), promiscuous mode is not enabled by default because it’s a potential security risk.
> Packet sniffing: If any user could enable it, they could capture unencrypted traffic from other machines on the same LAN or virtual switch.
> Privilege escalation: Malicious software running under an unprivileged user could abuse promiscuous mode to harvest sensitive data (e.g., passwords, cookies).
>Network integrity: Allowing unrestricted packet capture could lead to unintended network mapping or reconnaissance within shared environments (multi-tenant servers, cloud, corporate networks). For these reasons, only root or processes with the proper Linux capabilities (CAP_NET_RAW, CAP_NET_ADMIN) can enable it.

VMware software does not allow the virtual Ethernet adapter to go into promiscuous mode unless the user running the VMware software has permission to make that setting. This follows the standard Linux practice that only root can put a network interface into promiscuous mode.

When you install and configure your VMware software, you run the installation as root, and we create the vmnet0-vmnet3 devices with root ownership and root group ownership. We also give those devices read/write access for the owner root only. For a user to be able to set the virtual machine's network adapter to promiscuous mode, the user who launches the VMware product needs to have read/write access to the vmnetx device (/dev/vmnet0 if using basic bridged mode).

One way to do this is:

  1. Create a new group.
  2. Add the appropriate users to the group.
  3. Give that group read/write access to the appropriate device.
  4. These changes need to be made on the host operating system as root (su).
    For example:
chgrp newgroup /dev/vmnet0
chmod g+rw /dev/vmnet0

where newgroup is the group that should have the ability to set vmnet0 to promiscuous mode.

If you want all users to be able to set the virtual network adapter (/dev/vmnet0 in our example) to promiscuous mode, you can simply run the following command on the host operating system as root:

chmod a+rw /dev/vmnet0

For Linux systems that use udev, you may see the error as device nodes are recreated at boot time:

The virtual machines operating system has attempted to enable promiscuous mode on adapter Ethernet0. This is not allowed for security reasons.

To resolve this error, create the vmnet* devices with the desired ownership and permissions under /udev/devices/, rather than creating it under /dev/, as above. . 

Note: The location depends on the flavor of Linux.