3

I'm running KVM on Centos 5. I have a guest OS, ubuntu 10.04, that has Snort 2.9 installed on it. The guest OS has (2) nic's, eth0 and eth1. One nic, eth0, is configured with an IP and can be accessed from the network that the host OS is on. The 2nd nic has no IP, and is used to receive mirrored traffic from a Cisco switch. On the host OS side, a tcpdump on br1, which is the bridge interface used for the guest OS running Snort, does see the mirrored traffic from the switch. But a tcpdump run on eth1 of the guest OS, which is the interface that's monitored by Snort, only sees broadcast or cdp packets from the switch. A tcpdump run on eth0 of the guest OS does show the mirrored traffic from the switch.

Any ideas?

user97026
  • 31
  • 1
  • 2
  • Try checking for a KVM setting to allow the guest to use promiscuous mode. – devicenull Oct 05 '11 at 23:57
  • devicenull, I found the KVM setting to put an interface into promiscuous mode, but it didn't work. I applied the setting to the bridge interface, br1, and ran a tcpdump on both eth0 and eth1 of the guest os, and saw only broadcast or cdp traffic. Also, I was mistaken about eth0 on the guest os. This interface is only seeing broadcast traffic, or traffic for snort, since snort is currently configured to monitor eth0. – user97026 Oct 06 '11 at 20:14

2 Answers2

2

I don't know if this will help but I just ran into a similar problem while troubleshooting keepalived on two Linux KVM guests each running Ubuntu 10.04. I found that while running tcpdump -i eth1 would see the multicast addresses (which is a different subnet then the IP assigned to the NIC) but if I ran tcpdump -i any it wouldn't. I did some further testing of tcpdump while monitoring dmesg and found when I used the eth1 device on tcpdump it would put the NIC into promiscuous but when using the "any" device, neither eth0 or eth1 entered promiscuous. This contrary to how it's handled on a physical host where "any" puts all NIC's into promiscuous or at least on the hosts I tested with.

I ran the command ip link set eth1 promisc on and then when I used the "any" device, it was now able to see the traffic. This applied equally to eth0 however I know the traffic I wanted wasn't coming there so I only did this to test. You can save this for the host by editing /etc/network/interfaces and adding a line beginning with "post-up " followed by the command you just used and this ensures the device enters promiscuous when the best is booted.

I don't believe a NIC would normally need to in promiscuous to see multicast traffic but in this case with the KVM guest it seems that was the case and it appears if the device is not set to promiscuous then it only sees IP packets on a subnet with the same IP as the NIC if not in promiscuous. Snort uses libpcap, the same library as tcpdump IIRC and if it's trying to set promiscuous via the any interface then it seems it's not succeeding where it should. I don't believe keepalive requires promiscuous under normal circumstances but in this case it seems to be the only way to see the multicast traffic.

Hope this helps.

user39668
  • 140
  • 5
1

After a longer search I found this very simple/easy solution - if you know it:

http://adamdoupe.com/blog/2010/10/22/configuring-linux-bridge-to-act-as-a-hub/

brctl setageing <bridgename> 0
Falcon Momot
  • 24,975
  • 13
  • 61
  • 92
Reiner030
  • 63
  • 5