bigfoot29@www.bios.kicks-ass.org
2006-May-21 20:14 UTC
[Xen-users] Traffic Counting / port analysis using Xen 3.0.2?
Hi! My first post here, so sorry if this question has been asked a hundred times already. I searched the web for quite some time, but I wasn''t able to find a solution based on the howto''s out there... In Xen 2.0.7 it was easy to do very detailed traffic counting using mechanisms like tcpdump and such because the system acted like a hub. Now with 3.0 it got more secure - the bridge acts like a switch. Of course, that is preferrable, but how can I do a detailed traffic statistics of different servers I have no access to (owned by other ppl)? Can/must this be done in the Xen0-domain? Is there an more "elegant" way (security wise) to fire up an own virtual machine handling this and acting as a bridge itself? I am not very comfortable with iptables, so messing around with that would create more security holes than fix things for me. - What means, that you shouldn''t expect an iptables-hero here :). Are there any tuts out there handling deeper nested networks using Xen3? Like: dom0 |-vm1 |-vm2 |-vm3 | |-vm4 | |-vm5 | |-vm6 where vm3 is acting like a bridge but has the ability to filter/count passing traffic to vm4 and 5. 4 and 5 have no "direct" connection to dom0 - only by passing the bridge at vm3. Any help is appreciated :D Thanks in Advance! Regards, Bigfoot29. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
fess
2006-May-29 02:05 UTC
Re: [Xen-users] Traffic Counting / port analysis using Xen 3.0.2?
I think you can setup bridges in any config you want, so I''m pretty sure you can accomplish what you''re trying to do. you should be able to setup a bridge with most of the domus on it and one gateway domu, with an interface on the main bridge, and another interface on a front bridge with the real eth0. then it could setup it''s own bridge between the two, and it would then be in a position to do bridge based firewalling or accounting. I found this page helpful: http://wiki.xensource.com/xenwiki/XenNetworking And then this page, which shows how the shorwall guy setup a slightly more complex Xen network: http://shorewall.net/XenMyWay.html hope that helps. --fess On May 21, 2006, at 1:14 PM, bigfoot29@www.bios.kicks-ass.org wrote:> Hi! > > My first post here, so sorry if this question has been asked a hundred > times already. I searched the web for quite some time, but I wasn''t > able > to find a solution based on the howto''s out there... > > In Xen 2.0.7 it was easy to do very detailed traffic counting using > mechanisms like tcpdump and such because the system acted like a hub. > Now > with 3.0 it got more secure - the bridge acts like a switch. Of course, > that is preferrable, but how can I do a detailed traffic statistics of > different servers I have no access to (owned by other ppl)? > > Can/must this be done in the Xen0-domain? Is there an more "elegant" > way > (security wise) to fire up an own virtual machine handling this and > acting > as a bridge itself? > I am not very comfortable with iptables, so messing around with that > would > create more security holes than fix things for me. - What means, that > you > shouldn''t expect an iptables-hero here :). > > Are there any tuts out there handling deeper nested networks using > Xen3? > Like: > > dom0 > |-vm1 > |-vm2 > |-vm3 > | |-vm4 > | |-vm5 > | > |-vm6 > > where vm3 is acting like a bridge but has the ability to filter/count > passing traffic to vm4 and 5. 4 and 5 have no "direct" connection to > dom0 > - only by passing the bridge at vm3. > > Any help is appreciated :D > Thanks in Advance! > > Regards, Bigfoot29. > > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Robert Hulme
2006-Jun-01 13:24 UTC
Re: [Xen-users] Traffic Counting / port analysis using Xen 3.0.2?
> Can/must this be done in the Xen0-domain? Is there an more "elegant" way > (security wise) to fire up an own virtual machine handling this and acting > as a bridge itself?I''m not sure I 100% understand what you''re trying to do (you refer to domains that you don''t control?)... I would suggest two possibilities: 1. Get raw bytes count from the interface from dom0 cat /sys/class/net/vif#{id}.0/statistics/tx_bytes cat /sys/class/net/vif#{id}.0/statistics/rx_bytes Where id is the id for the running domain from xm list. 2. Use iptables You can do quite complex traffic monitoring using iptables. See: http://www.netfilter.org/ ... -Rob -- ------------------------------------------------------ "98.5% of DNA is considered to be junk DNA with no known purpose. Maybe it''s XML tags." -- Anon "Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it." - Kernighan http://www.robhulme.com/ http://robhu.livejournal.com/ _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users