Hi Mike,
Thanks for the info. I'd rather run monitoring such as tcpdump from
the VM if possible and not the host as a simulation of a network
appliance and with the intent eventually of giving others access to
the VM and not the host. Here is the xml file for the private network:
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh net-edit virbr1
or other application using the libvirt API.
-->
<network>
<name>virbr1</name>
<uuid>####</uuid>
<forward mode='nat'/>
<bridge name='virbr1' stp='on' delay='0' />
<mac address='52:54:00:##:##:##'/>
<ip address='192.168.100.1' netmask='255.255.255.0'>
</ip>
</network>
There are two VMs connected to this interface, and the monitoring or
"appliance" VM is connected to both this and the external interface.
Please let me know if I can provide more info that will be relevant.
Thanks,
Kevin
On Tue, Mar 22, 2016 at 9:41 AM, Mike - st257 <silvertip257 at gmail.com>
wrote:> On Mon, Mar 21, 2016 at 1:33 PM, Kevin Ross <sedecim at gmail.com>
wrote:
>>
>> Hi folks,
>>
>> I posted this question to the KVM list, but I thought I'd try here
>> too--sorry if this is the wrong place to post this, can you please
>> direct me to the correct forum or list if so, thanks!
>>
>> I'm working on a network security project, using KVM installed on
>> CentOS 6.7 through yum. I have a VM with the goal of using this as a
>> network appliance, and two other VMs, one simulating an attack node
>> and the other simulating a vulnerable webapp. These are all connected
>> to the same internal private network set up in KVM. The idea with the
>> network appliance VM is to have it act as if it's connected to a
>> network tap so it can see the traffic between the other two VMs.
I'm
>> not able to see the traffic currently and would appreciate your help
>> or suggestions to see if this is possible and how I can set this up if
>
>
> From the KVM host you should be able to point tcpdump at the vnetX
> interfaces and sniff.
> I've had to do this on occasion (with a bridged network setup) when a
web
> hosting VM was being brute forced.
>
>>
>> so. I came across some information online suggesting to have the
>> interfaces in promiscuous mode, including the virtual NIC for the
>> private network, and I've tried all combinations. Thanks for any
help
>> you can offer!
>
>
> Start by determining what interface your VM is attached to.
>
> We have no idea the network layout of your KVM set up for VMs either.
> Look at the XML for your VM to determine which interface it's tied to.
>
> --
> ---~~.~~---
> Mike
> // SilverTip257 //
>
> _______________________________________________
> CentOS-virt mailing list
> CentOS-virt at centos.org
> https://lists.centos.org/mailman/listinfo/centos-virt
>
--
sedecim at gmail.com