Xen users - May 2006 - Traffic Counting / port analysis using Xen 3.0.2?

Hi!

My first post here, so sorry if this question has been asked a hundred
times already. I searched the web for quite some time, but I wasn''t
able
to find a solution based on the howto''s out there...

In Xen 2.0.7 it was easy to do very detailed traffic counting using
mechanisms like tcpdump and such because the system acted like a hub. Now
with 3.0 it got more secure - the bridge acts like a switch. Of course,
that is preferrable, but how can I do a detailed traffic statistics of
different servers I have no access to (owned by other ppl)?

Can/must this be done in the Xen0-domain? Is there an more "elegant"
way
(security wise) to fire up an own virtual machine handling this and acting
as a bridge itself?
I am not very comfortable with iptables, so messing around with that would
create more security holes than fix things for me. - What means, that you
shouldn''t expect an iptables-hero here :).

Are there any tuts out there handling deeper nested networks using Xen3?
Like:

dom0
|-vm1
|-vm2
|-vm3
|  |-vm4
|  |-vm5
|
|-vm6

where vm3 is acting like a bridge but has the ability to filter/count
passing traffic to vm4 and 5. 4 and 5 have no "direct" connection to
dom0
- only by passing the bridge at vm3.

Any help is appreciated :D
Thanks in Advance!

Regards, Bigfoot29.


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

I think you can setup bridges in any config you want,
so I''m pretty sure you can accomplish what you''re trying to
do.
you should be able to setup a bridge with most of the domus on it
and one gateway domu, with an interface on the main bridge,
and another interface on a front bridge with the real eth0.
then it could setup it''s own bridge between the two, and
it would then be in a position to do bridge based
firewalling or accounting.

I found this page helpful:

   http://wiki.xensource.com/xenwiki/XenNetworking

And then this page, which shows how the shorwall guy setup a slightly 
more complex Xen network:

   http://shorewall.net/XenMyWay.html


hope that helps.

--fess



On May 21, 2006, at 1:14 PM, bigfoot29@www.bios.kicks-ass.org wrote:
> Hi!
>
> My first post here, so sorry if this question has been asked a hundred
> times already. I searched the web for quite some time, but I
wasn''t
> able
> to find a solution based on the howto''s out there...
>
> In Xen 2.0.7 it was easy to do very detailed traffic counting using
> mechanisms like tcpdump and such because the system acted like a hub. 
> Now
> with 3.0 it got more secure - the bridge acts like a switch. Of course,
> that is preferrable, but how can I do a detailed traffic statistics of
> different servers I have no access to (owned by other ppl)?
>
> Can/must this be done in the Xen0-domain? Is there an more
"elegant"
> way
> (security wise) to fire up an own virtual machine handling this and 
> acting
> as a bridge itself?
> I am not very comfortable with iptables, so messing around with that 
> would
> create more security holes than fix things for me. - What means, that 
> you
> shouldn''t expect an iptables-hero here :).
>
> Are there any tuts out there handling deeper nested networks using 
> Xen3?
> Like:
>
> dom0
> |-vm1
> |-vm2
> |-vm3
> |  |-vm4
> |  |-vm5
> |
> |-vm6
>
> where vm3 is acting like a bridge but has the ability to filter/count
> passing traffic to vm4 and 5. 4 and 5 have no "direct" connection
to
> dom0
> - only by passing the bridge at vm3.
>
> Any help is appreciated :D
> Thanks in Advance!
>
> Regards, Bigfoot29.
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

> Can/must this be done in the Xen0-domain? Is there an more
"elegant" way
> (security wise) to fire up an own virtual machine handling this and acting
> as a bridge itself?
I''m not sure I 100% understand what you''re trying to do (you
refer to
domains that you don''t control?)...

I would suggest two possibilities:

1. Get raw bytes count from the interface from dom0
cat /sys/class/net/vif#{id}.0/statistics/tx_bytes
cat /sys/class/net/vif#{id}.0/statistics/rx_bytes

Where id is the id for the running domain from xm list.

2. Use iptables
You can do quite complex traffic monitoring using iptables. See:
http://www.netfilter.org/ ...

-Rob

-- 
------------------------------------------------------
"98.5% of DNA is considered to be junk DNA with no known purpose.
Maybe it''s XML tags." -- Anon

"Debugging is twice as hard as writing the code in the first place.
Therefore, if you write the code as cleverly as possible, you are, by
definition, not smart enough to debug it." - Kernighan

http://www.robhulme.com/
http://robhu.livejournal.com/

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users