[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-discuss] KVM networking help needed - Promiscuous network conf
|
From: |
Vlad Yasevich |
|
Subject: |
Re: [Qemu-discuss] KVM networking help needed - Promiscuous network configuration for guest Snort instance |
|
Date: |
Tue, 18 Mar 2014 14:07:10 -0400 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 |
On 03/18/2014 01:35 PM, Philip Wang wrote:
> Hi,
>
> I am looking for some direction on how to configure KVM networking so that
> a promiscuous bridge/host nic/guest nic allows two different network
> monitoring packages to sniff the same physical traffic.
>
> The idea is to run a commercial package on the CentOS 6.5 host and Snort,
> via Security Onion, on the guest, both being fed by a physical switch SPAN
> or physical firewall TAP.
>
> The host has two NICs, one for management and one for sniffing. I am using
> libvirt and libvirt-manager to supplement configuration.
>
> I have basic bridge networking configured and connected on the management
> NIC, but I can't seem to figure out the missing piece for getting physical
> network traffic from the SPAN/TAP port to the Xubuntu guest NIC for
> sniffing.
>
> I have seen mention of setting the bridge aging time to 0, but that did not
> seem to work and the only place I could find to verify the setting was by
> running brctl showmacs <brisge name>. I have also seen posts saying this
> was more of a workaround, without discussing an alternate method.
>
> I have tinkered with setting the host nic, bridge, and guest nic to
> promiscuous mode, only to see relatively equal traffic climb on the host
> nic and bridge, but not the guest nic.
>
> Other searched have turned up discussions about tunctl and its
> implementation, so at this point I figured a reality check was in order.
>
> Is this idea feasible? If so, where should I be looking for information on
> how to implement it?
>
> Thanks in advance for any pointers.
>
To see absolutely all traffic you'll need to turn off some features
of the bridge you connect to your sniffing interface.
To make sure you see all multicast traffic, you'll need to
disable IGMP snooping:
# echo 0 > /sys/class/net/{bridge}/bridge/multicast_snooping
If you don't turn this off, the bridge might filter our multicast
traffic that the vm is not interested in.
To forward all unicast traffic seen by the bridge to the VM
you have to turn off learning on the port connected to the VM.
# echo 0 > /sys/class/net/{bridge}/brif/{port_nic}/learning
By default, the bridge learns the mac addresses of stations behind
the port and will only forward traffic that matches the mac address.
By turning off the above option, the bridge will not longer learn
the addresses and will fall back to flooding all traffic to all ports.
Another possibility is to use macvtap in passthru mode. It will allow
you to capture traffic in both guest and host. The limitation here is
that host will not be able to function as a receiver. It will simply
capture and pass the traffic through to the guest.
-vlad