Using linux KVM/QEMU, I have a virtual machine with two NICs presented at the host as tap interfaces:
-net nic,macaddr=AA:AA:AA:AA:00:01,model=virtio \
-net tap,ifname=tap0a,script=ifupbr0.sh \
-net nic,macaddr=AA:AA:AA:AA:00:02,model=virtio \
-net tap,ifname=tap0b,script=ifupbr1.sh \
In the guest (also running linux), these are configured with different subnets:
eth0 Link encap:Ethernet HWaddr aa:aa:aa:aa:00:01
inet addr:10.0.0.10 Bcast:10.0.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
eth1 Link encap:Ethernet HWaddr aa:aa:aa:aa:00:02
inet addr:192.168.0.10 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Routes only go to the expected places:
ip route list
default via 10.0.0.1 dev eth0 metric 100
10.0.0.0/16 dev eth0 proto kernel scope link src 10.0.0.10
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.10
But somehow don't seem to be treated by KVM as being connected to distinct networks.
If I trace the individual interfaces, they both see the same traffic.
For example, if I ping on the 10.0.0.0/16 subnet, ping -I eth0 10.0.0.1
And simultaneously trace the two tap interfaces with tcpdump , I see the pings coming through on both tap interfaces:
sudo tcpdump -n -i tap0a
10:51:56.308190 IP 10.0.0.10 > 10.0.0.1: ICMP echo request, id 867, seq 1, length 64
10:51:56.308217 IP 10.0.0.1 > 10.0.0.10: ICMP echo reply, id 867, seq 1, length 64
sudo tcpdump -n -i tap0b
10:51:56.308190 IP 10.0.0.10 > 10.0.0.1: ICMP echo request, id 867, seq 1, length 64
10:51:56.308217 IP 10.0.0.1 > 10.0.0.10: ICMP echo reply, id 867, seq 1, length 64
That seems strange to me since it's pretty clear that the guest OS would have only actually sent this on the tap0a interface.
Is this expected behavior? Is there a way to keep the interfaces separate as I expected?
Is this some misconfiguration issue on my part?
Additional info, here are the two ifupbr0.sh and ifupbr1.sh scripts:
% cat ifupbr1.sh
#!/bin/sh
set -x
switch=br0
echo args = $*
if [ -n "$1" ];then
sudo tunctl -u `whoami` -t $1
sudo ip link set $1 up
sleep 0.5s
sudo brctl addif $switch $1
exit 0
else
echo "Error: no interface specified"
exit 1
fi
% cat ifupbr1.sh
#!/bin/sh
set -x
switch=br1
echo args = $*
if [ -n "$1" ];then
sudo tunctl -u `whoami` -t $1
sudo ip link set $1 up
sleep 0.5s
sudo brctl addif $switch $1
exit 0
else
echo "Error: no interface specified"
exit 1
fi
I see this problem even if I detach the "tap0b" interface from the br1. It still shows the traffic that I'd expect only for tap0a. That is, even when:
% brctl show
bridge name bridge id STP enabled interfaces
br0 8000.26a2d168234b no tap0a
br1 8000.000000000000 no
br2 8000.000000000000 no
It looks like I answered my own question eventually, but I'll document it for anyone else that hits this.
Evidently this really is the intended behavior of KVM for the options I was using.
At this URL:
http://wiki.qemu.org/Documentation/Networking
I found:
QEMU previously used the -net nic option instead of -device DEVNAME
and -net TYPE instead of -netdev TYPE. This is considered obsolete
since QEMU 0.12, although it continues to work.
The legacy syntax to create virtual network devices is:
-net nic,model=MODEL
And sure enough, I'm using this legacy syntax. I thought the new syntax was just more flexible but it apparently actually has this intended behavior:
The obsolete -net syntax automatically created an emulated hub (called
a QEMU "VLAN", for virtual LAN) that forwards traffic from any device
connected to it to every other device on the "VLAN". It is not an
802.1q VLAN, just an isolated network segment.
The vlans it supports are also just emulated hubs, and don't forward out to the host at all as best I can tell.
Regardless, I reworked the QEMU options to use the "new" netdev syntax and obtained the behavior I wanted here.
What do you have in the ifupbr0.sh and ifupbr1.sh scripts? What bridging tool are you using? That is the important piece which segregates your traffic to the interfaces desired.
I've used openvswitch to handle my bridging stuff. But before that I used bridge-utils in Debian.
I wrote some information about bridge-utils at http://blog.raymond.burkholder.net/index.php?/archives/31-QEMUKVM-BridgeTap-Network-Configuration.html. I have other posts regarding what I did with bridging on the OpenVSwitch side of things.
Related
I'm using tcpreplay and tcprewrite in openwrt.
And I want to resend captured packet to another node.
Bellow is my description.
External OpenWRT Computer1
eth0 wlan0
119.207.66.08 -----> 192.168.0.180 192.168.4.1 ------> 192.168.4.110
I captured packets from external using tcpdump.
tcpdump -i any -d 192.168.0.180 -w save_packet.pcap
And I tried rewriting packet's source IP and source MAC, destination IP and destination MAC.
tcprewrite -i save_packet.pcap -o rewrite_packet.pcap --enet-smac=[OpenWRT's MAC] \
--enet-dmac=[Computer1's MAC] -S 0.0.0.0/0:192.168.4.1 -D 192.168.0.180:192.168.4.110 -C
And replayed rewrite_packet.pcap
tcpreplay -i wlan0 rewrite_packet.pcap
Up to this, I received rewrite_packet in Computer1.
and Computer1 did response about this packet.
but not to External(119.207.66.08) but to OpenWRT(192.168.0.180)...
I want Computer1 response to External. But when I don't change Source IP, MAC, I cannot send to Computer1.119.207.66.08
please help me...
I've tried it for a while now, referring to resources on the net and man tcpdump. I just can't get it to work. I've tried sudo tcpdump -i any -A "dst port 62655 and src port 62665", then I tried sudo tcpdump -i any -A "(dst port 62655 and src port 62665)". I also tried sudo tcpdump -i any -A \(dst port 62655 and src port 62665\). I'm going nuts, what am I missing?? According to man tcpdump it's okay to use either and or &&
EDIT:
What do I mean by "it doesn't work"? If I only use sudo tcpdump -i any -A "dst port 62655" I can see the traffic from the server to the client. If I try to combine it in order to try to catch the incoming traffic as well (as described above) I see nothing (not even the outgoing traffic anymore - which worked before!).
By using "and", you're requiring each packet to meet both conditions. Your edit makes it sound like one condition is for incoming and one condition is for outgoing, so use "or" instead of "and".
As an aside, especially for common ports where there's likely more traffic, it's often useful to specify "host X.X.X.X" to filter for packets where the source or destination is the specified IP address.
Manpage for the filter expression
I'm in a network and i wanna capture ftp packets from another server in the network but i have a problem with tcpdump about this.
I've used this command :
tcpdump -i eth0 dst X.X.X.X -A and port 21
But it doesn't shows anything! ( i tested and sure that ftp port is 21 )
But if i use this on my server it works properly.
tcpdump -i eth0 -A and port 21
I've this problem when i enter " port " in the command. but if i enter a command without specific port it works and captures properly.
What is the problem?
Thanks.
I don't have enough reputation to ask a question, so this is part question and part insight.
Is the IP you're filtering on the client or the server for the FTP connection?
For the first command, try using src x.x.x.x or just host x.x.x.x and port 21.
For the second command, the "and" is not necessary with the -A flag. This should look more like this:
tcpdump -A -i eth0 port 21
tcpdump -Ai eth0 port 21
Another thing I've seen is if there are vlan tags, normal filtering won't work without adding "vlan and " to your filter. For example:
tcpdump -A -i eth0 "vlan and host x.x.x.x and port 21"
Also keep in mind that FTP uses a control and data connection. The control is over port 21, but the data can vary depending on whether you're using active or passive FTP.
I'm using the Chromium browser as the display for an embedded openSUSE-based project. Everything's going well, but I just now found out that Chromium is making dozens of connections to various *.ie100.net domains. I know this is Google's safe browsing system kicking in, but in my case this is useless because Chromium is just showing my own embedded server. I also know it isn't nefarious, and won't cause explicit harm, but I'm worried customers will see the traffic and get worried.
I've tried turning off safe browsing by editing .config/chromium/Default/Preferences...
"safebrowsing": {
"enabled": false
},
... but to no avail. I'm also worried that there are other Chromium features that may kick in and send backdoor traffic.
So, how can I tell Chromium to stop making unrequested outgoing connections? Do I need to block it at the system level?
My best solution has been to use iptables to block all outgoing request to ports 80 or 433. Yes, this prevents other browswers from being used in my product, but this isn't a problem for an embedded system.
Here's the script which cleans up any previous rules and then sets up blocking rules:
# Chrome has a nasty habit of connecting to various *.ie100.net domains, probably for
# safe browsing but who knows. Concern is that our customers will see these
# connections and wonder what the heck's going on. So, we block them.
# Kill any previous KILL_CHROME chain. First, get rid of all referencing rules
RULES=$(sudo iptables -L OUTPUT --line-numbers | grep KILL_CHROME | cut -d' ' -f1 | sort -r )
for rule in $RULES; do
sudo iptables -D OUTPUT $rule
done
# Clean out chain
sudo iptables --flush KILL_CHROME
# Remove chain
sudo iptables -X KILL_CHROME
# Now, build new rules. Add new iptables chain KILL_CHROME
sudo iptables -N KILL_CHROME
# Any newly-created outgoing tcp connections on eth0 to port 80 are routed to KILL_CHROME
sudo iptables -A OUTPUT -o eth0 -m conntrack --ctstate NEW -p tcp --dport 80 -j KILL_CHROME
# Any newly-created outgoing tcp connections on eth0 to port 443 are routed to KILL_CHROME
sudo iptables -A OUTPUT -o eth0 -m conntrack --ctstate NEW -p tcp --dport 443 -j KILL_CHROME
# Log every connection in KILL_CHROME
sudo iptables -A KILL_CHROME -j LOG --log-prefix "New Dropped: "
# And drop it like a hot potato.
sudo iptables -A KILL_CHROME -j
'Twould be good for Chromium to support some sort of flag to prevent this behavior, but since there doesn't seem to be one this is the best I can do.
What is the format to capture LLDP packets on an interface using tcpdump?
I tried the following format but it dint work:
tcpdump -w test.pcap -i eth0 lldp -vv
tcpdump -w test.pcap -i eth0 ether proto 0x88cc
The Ethernet type for LLDP is 0x88cc, so the filter to see only LLDP packets is ether proto 0x88cc.
-v is useful when used with -w to print a short count of packets matched, like this: Got 11.
-w means "write the raw packets to the file, and don't print anything"; -v means "print verbosely", so ostensibly the arguments don't make sense together but with -w, the -v option provides some utility.