VmkNicList
Overview
Section titled “Overview”Evidence: VmkNicList
Description: List VmkNicList
Category: Network
Platform: esxi
Short Name: vmkniclist
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”VMkernel network interfaces (vmknic) provide ESXi management, vMotion, storage, and fault tolerance network connectivity. These interfaces are critical for hypervisor operations and can be targets for network-based attacks or misconfigurations that expose management networks.
Data Collected
Section titled “Data Collected”This collector gathers structured data about vmkniclist.
VmkNicList Data
Section titled “VmkNicList Data”| Field | Description | Example |
|---|---|---|
Interface | Interface | Example value |
PortGroup | Port Group | Example value |
IPFamily | IP Family | Example value |
IPAddress | IP Address | Example value |
Netmask | Netmask | Example value |
Broadcast | Broadcast | Example value |
MAC | MAC | Example value |
MTU | MTU | 123 |
TSOMSS | TSOMSS | 123 |
Enabled | Enabled | Example value |
Type | Type | Example value |
NetStack | Net Stack | Example value |
Collection Method
Section titled “Collection Method”This collector parses VMkernel NIC information, extracting interface names, DHCP/IPv6 settings, IP addresses, MAC addresses, MTU sizes, TSO/MSS values, enabled status, interface types, and network stack assignments for each configured VMkernel adapter.
Forensic Value
Section titled “Forensic Value”VMkernel interface configuration reveals management network topology, potential security misconfigurations, and unauthorized network modifications. Analyzing IP assignments, MAC addresses, and network stack associations helps detect rogue interfaces, validate network isolation, and identify attack vectors targeting hypervisor management.