CentOS virt - Mar 2016 - KVM networking issue

Hi folks,

I posted this question to the KVM list, but I thought I'd try here
too--sorry if this is the wrong place to post this, can you please
direct me to the correct forum or list if so, thanks!

I'm working on a network security project, using KVM installed on
CentOS 6.7 through yum. I have a VM with the goal of using this as a
network appliance, and two other VMs, one simulating an attack node
and the other simulating a vulnerable webapp. These are all connected
to the same internal private network set up in KVM. The idea with the
network appliance VM is to have it act as if it's connected to a
network tap so it can see the traffic between the other two VMs. I'm
not able to see the traffic currently and would appreciate your help
or suggestions to see if this is possible and how I can set this up if
so. I came across some information online suggesting to have the
interfaces in promiscuous mode, including the virtual NIC for the
private network, and I've tried all combinations. Thanks for any help
you can offer!

Thanks,

Kevin
-- 
sedecim at gmail.com

On Mon, Mar 21, 2016 at 1:33 PM, Kevin Ross <sedecim at gmail.com> wrote:
> Hi folks,
>
> I posted this question to the KVM list, but I thought I'd try here
> too--sorry if this is the wrong place to post this, can you please
> direct me to the correct forum or list if so, thanks!
>
> I'm working on a network security project, using KVM installed on
> CentOS 6.7 through yum. I have a VM with the goal of using this as a
> network appliance, and two other VMs, one simulating an attack node
> and the other simulating a vulnerable webapp. These are all connected
> to the same internal private network set up in KVM. The idea with the
> network appliance VM is to have it act as if it's connected to a
> network tap so it can see the traffic between the other two VMs. I'm
> not able to see the traffic currently and would appreciate your help
> or suggestions to see if this is possible and how I can set this up if
>
>From the KVM host you should be able to point tcpdump at the vnetX
interfaces and sniff.
I've had to do this on occasion (with a bridged network setup) when a web
hosting VM was being brute forced.

> so. I came across some information online suggesting to have the
> interfaces in promiscuous mode, including the virtual NIC for the
> private network, and I've tried all combinations. Thanks for any help
> you can offer!
>
Start by determining what interface your VM is attached to.

We have no idea the network layout of your KVM set up for VMs either.
Look at the XML for your VM to determine which interface it's tied to.

-- 
---~~.~~---
Mike
//  SilverTip257  //
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.centos.org/pipermail/centos-virt/attachments/20160322/7fd611c9/attachment-0002.html>

Hi Mike,

Thanks for the info. I'd rather run monitoring such as tcpdump from
the VM if possible and not the host as a simulation of a network
appliance and with the intent eventually of giving others access to
the VM and not the host. Here is the xml file for the private network:

<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
  virsh net-edit virbr1
or other application using the libvirt API.
-->

<network>
  <name>virbr1</name>
  <uuid>####</uuid>
  <forward mode='nat'/>
  <bridge name='virbr1' stp='on' delay='0' />
  <mac address='52:54:00:##:##:##'/>
  <ip address='192.168.100.1' netmask='255.255.255.0'>
  </ip>
</network>

There are two VMs connected to this interface, and the monitoring or
"appliance" VM is connected to both this and the external interface.

Please let me know if I can provide more info that will be relevant.

Thanks,

Kevin

On Tue, Mar 22, 2016 at 9:41 AM, Mike - st257 <silvertip257 at gmail.com>
wrote:
> On Mon, Mar 21, 2016 at 1:33 PM, Kevin Ross <sedecim at gmail.com>
wrote:
>>
>> Hi folks,
>>
>> I posted this question to the KVM list, but I thought I'd try here
>> too--sorry if this is the wrong place to post this, can you please
>> direct me to the correct forum or list if so, thanks!
>>
>> I'm working on a network security project, using KVM installed on
>> CentOS 6.7 through yum. I have a VM with the goal of using this as a
>> network appliance, and two other VMs, one simulating an attack node
>> and the other simulating a vulnerable webapp. These are all connected
>> to the same internal private network set up in KVM. The idea with the
>> network appliance VM is to have it act as if it's connected to a
>> network tap so it can see the traffic between the other two VMs.
I'm
>> not able to see the traffic currently and would appreciate your help
>> or suggestions to see if this is possible and how I can set this up if
>
>
> From the KVM host you should be able to point tcpdump at the vnetX
> interfaces and sniff.
> I've had to do this on occasion (with a bridged network setup) when a
web
> hosting VM was being brute forced.
>
>>
>> so. I came across some information online suggesting to have the
>> interfaces in promiscuous mode, including the virtual NIC for the
>> private network, and I've tried all combinations. Thanks for any
help
>> you can offer!
>
>
> Start by determining what interface your VM is attached to.
>
> We have no idea the network layout of your KVM set up for VMs either.
> Look at the XML for your VM to determine which interface it's tied to.
>
> --
> ---~~.~~---
> Mike
> //  SilverTip257  //
>
> _______________________________________________
> CentOS-virt mailing list
> CentOS-virt at centos.org
> https://lists.centos.org/mailman/listinfo/centos-virt
>


-- 
sedecim at gmail.com