WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xen-users] Snort monitoring of Xen guests

from [Mark Chandler] [Permanent Link][Original]
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] Snort monitoring of Xen guests
From: Mark Chandler <mcl@xxxxxxxxxxx>
Date: Sun, 27 Apr 2008 15:22:37 +1000
Delivery-date: Sat, 26 Apr 2008 22:23:11 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.12 (X11/20080226) 
Hi all,
From another post on this list, it seems that the only way to monitor all traffic to guests in a host is to bind to the peth interface that is bound to the bridge that serves the guests. Is this the only way of doing it? Ideally, I'd like to have one guest running Snort that monitors everything else.
I've tried using tcpdump to monitor traffic on various interfaces, but I've never had a completely satisfactory result. On guest interfaces, I can only see traffic for that guest (this seems to be a feature); on Dom0 I get a long pause (10-20s), then I start to see packets. Also, with the Dom0 monitoring, I can only seem to see traffic on the peth interface. Binding to vif0.0 gives me nothing interesting.
At the moment, I'm researching the use of tc (traffic control) to mirror traffic to another device to get the effect of a monitor port on the xen-bridge. 

Any help on this would be very appreciated.

Mark C.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] dd trough scp with tar, Todd Deshane
Next by Date:  [Xen-users] Question about hiding pci devices., mmelyp
Previous by Thread:  Re: [Xen-users] Release 0.8.9 of GPL PV drivers for Windows, James Harper
Next by Thread:  Re: [Xen-users] Snort monitoring of Xen guests, John Haxby
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy