# VmkNicList

## Overview

**Evidence:** VmkNicList\
**Description:** List VmkNicList\
**Category:** Network\
**Platform:** esxi\
**Short Name:** vmkniclist\
**Is Parsed:** Yes\
**Sent to Investigation Hub:** Yes\
**Collect File(s):** No

## Background

VMkernel network interfaces (vmknic) provide ESXi management, vMotion, storage, and fault tolerance network connectivity. These interfaces are critical for hypervisor operations and can be targets for network-based attacks or misconfigurations that expose management networks.

## Data Collected

This collector gathers structured data about vmkniclist.

### VmkNicList Data

| Field       | Description | Example       |
| ----------- | ----------- | ------------- |
| `Interface` | Interface   | Example value |
| `PortGroup` | Port Group  | Example value |
| `IPFamily`  | IP Family   | Example value |
| `IPAddress` | IP Address  | Example value |
| `Netmask`   | Netmask     | Example value |
| `Broadcast` | Broadcast   | Example value |
| `MAC`       | MAC         | Example value |
| `MTU`       | MTU         | 123           |
| `TSOMSS`    | TSOMSS      | 123           |
| `Enabled`   | Enabled     | Example value |
| `Type`      | Type        | Example value |
| `NetStack`  | Net Stack   | Example value |

## Collection Method

This collector parses VMkernel NIC information, extracting interface names, DHCP/IPv6 settings, IP addresses, MAC addresses, MTU sizes, TSO/MSS values, enabled status, interface types, and network stack assignments for each configured VMkernel adapter.

## Forensic Value

VMkernel interface configuration reveals management network topology, potential security misconfigurations, and unauthorized network modifications. Analyzing IP assignments, MAC addresses, and network stack associations helps detect rogue interfaces, validate network isolation, and identify attack vectors targeting hypervisor management.