From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:42270)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stefanha@gmail.com>) id 1VtZXz-00073N-FR
	for qemu-devel@nongnu.org; Thu, 19 Dec 2013 04:05:41 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <stefanha@gmail.com>) id 1VtZXu-00082y-3R
	for qemu-devel@nongnu.org; Thu, 19 Dec 2013 04:05:35 -0500
Received: from mail-wg0-x22b.google.com ([2a00:1450:400c:c00::22b]:37376)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stefanha@gmail.com>) id 1VtZXt-00082f-RP
	for qemu-devel@nongnu.org; Thu, 19 Dec 2013 04:05:30 -0500
Received: by mail-wg0-f43.google.com with SMTP id k14so759228wgh.10
	for <qemu-devel@nongnu.org>; Thu, 19 Dec 2013 01:05:28 -0800 (PST)
Date: Thu, 19 Dec 2013 10:05:19 +0100
From: Stefan Hajnoczi <stefanha@gmail.com>
Message-ID: <20131219090519.GA1976@stefanha-thinkpad.redhat.com>
References: <20131014091220.GA30440@stefanha-thinkpad.redhat.com>
	<201312181153.rBIBruJ7001508@indigo.cs.bgu.ac.il>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <201312181153.rBIBruJ7001508@indigo.cs.bgu.ac.il>
Subject: Re: [Qemu-devel] sniffing traffic between virtual machines
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Alexander Binun <binun@cs.bgu.ac.il>
Cc: kahilm@post.bgu.ac.il, markbl@post.bgu.ac.il, qemu-devel@nongnu.org

On Wed, Dec 18, 2013 at 01:53:56PM +0200, Alexander Binun wrote:
> We are trying to monitor the traffic (network packets etc) between VMs in KVM.  We succeeded to get the address of the system call table (see http://syprog.blogspot.co.il/2011/10/hijack-linux-system-calls-part-iii.html) and intercept the system calls going through the kernel.
> 
> In such a way we see ALL system calls (including those which were not initiated from within VMs).

You do not see guest system calls when you hook host system calls.  You
only see host system calls (including those made by QEMU).

> How can we filter out the system calls not related to VMs ? What is your opinion regarding our approach ?

Maybe I'm missing context for this discussion but I wouldn't intercept
sytems calls in order to monitor VM network traffic.

You can monitor VM traffic using libpcap on the VM's tap interface on
the host.  If you want fancier deep packet inspection, Open vSwitch
offers a flow-based interface so you can monitor just certain
conversations.

Stefan