From: Stefan Hajnoczi <stefanha@gmail.com>
To: Alexander Binun <binun@cs.bgu.ac.il>
Cc: kahilm@post.bgu.ac.il, markbl@post.bgu.ac.il, qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] sniffing traffic between virtual machines
Date: Thu, 19 Dec 2013 10:05:19 +0100 [thread overview]
Message-ID: <20131219090519.GA1976@stefanha-thinkpad.redhat.com> (raw)
In-Reply-To: <201312181153.rBIBruJ7001508@indigo.cs.bgu.ac.il>
On Wed, Dec 18, 2013 at 01:53:56PM +0200, Alexander Binun wrote:
> We are trying to monitor the traffic (network packets etc) between VMs in KVM. We succeeded to get the address of the system call table (see http://syprog.blogspot.co.il/2011/10/hijack-linux-system-calls-part-iii.html) and intercept the system calls going through the kernel.
>
> In such a way we see ALL system calls (including those which were not initiated from within VMs).
You do not see guest system calls when you hook host system calls. You
only see host system calls (including those made by QEMU).
> How can we filter out the system calls not related to VMs ? What is your opinion regarding our approach ?
Maybe I'm missing context for this discussion but I wouldn't intercept
sytems calls in order to monitor VM network traffic.
You can monitor VM traffic using libpcap on the VM's tap interface on
the host. If you want fancier deep packet inspection, Open vSwitch
offers a flow-based interface so you can monitor just certain
conversations.
Stefan
next prev parent reply other threads:[~2013-12-19 9:05 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-07 14:47 [Qemu-devel] sniffing traffic between VMs Alexander Binun
2013-10-10 9:02 ` Stefan Hajnoczi
2013-10-10 11:00 ` [Qemu-devel] kvm binary is deprecated Alexander Binun
2013-10-11 9:05 ` Stefan Hajnoczi
2013-10-12 14:45 ` Alexander Binun
2013-10-14 9:12 ` Stefan Hajnoczi
2013-10-14 10:36 ` Alexander Binun
2013-10-14 14:16 ` Stefan Hajnoczi
2013-10-24 9:23 ` [Qemu-devel] kvm binary is deprecated - solved! Alexander Binun
2013-10-24 9:49 ` Stefan Hajnoczi
2013-10-24 9:54 ` [Qemu-devel] observing VM actions Alexander Binun
2013-12-18 11:53 ` [Qemu-devel] sniffing traffic between virtual machines Alexander Binun
2013-12-19 9:05 ` Stefan Hajnoczi [this message]
2014-03-05 16:35 ` [Qemu-devel] kill /destroy a VM - help Alexander Binun
2014-03-06 10:22 ` Stefan Hajnoczi
2014-03-06 10:31 ` Alexander Binun
2014-03-06 11:28 ` Paolo Bonzini
2014-03-06 15:54 ` [Qemu-devel] kill /destroy a VM - still hangs! Alexander Binun
2014-03-09 15:40 ` [Qemu-devel] trying to kill a VM Alexander Binun
2014-03-13 12:59 ` [Qemu-devel] different IDTs of the same VCPU Alexander Binun
2014-03-13 15:15 ` Paolo Bonzini
2014-03-17 11:54 ` Alexander Binun
2014-03-17 12:20 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131219090519.GA1976@stefanha-thinkpad.redhat.com \
--to=stefanha@gmail.com \
--cc=binun@cs.bgu.ac.il \
--cc=kahilm@post.bgu.ac.il \
--cc=markbl@post.bgu.ac.il \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).