[SOLVED] tcpdump in a kvm virtualised vm / bridge not promiscuously forwarding

thisismyname · 07-09-2012, 06:15 AM

Hi There,

that's what i want to do: Run tcpdump in a virtualized machine for capturing the packets coming in on a physical interface.
Some Server Data:
- Fujisu Server
- Ubuntu Server 12.04
- KVM for Virtualization
- much ram, many cpus

(i tried the macvtap driver for direct connection, but had serious problems with them)

So here's my network config on the host (/etc/network/interfaces):

Code:

auto eth0
iface eth0 inet manual
auto br0
iface br0 inet manual
        bridge_ports eth0
        bridge_fd 0
        bridge_maxwait 0
        bridge_stp off
        bridge_agingtime 0

i also did a

Code:

/sbin/ifconfig eth0 promisc
/sbin/ifconfig br0 promisc

.
After that i was ableto watch the traffic counters climb on both interfaces. Now my virtual machine config, generated by virsh dumpxml <host> (snippet of the interface config):

Code:

    <interface type='bridge'>
      <mac address='52:54:00:65:b7:41'/>
      <source bridge='br0'/>
      <target dev='vnet2'/>
      <alias name='net2'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
    </interface>

For that you probably want to know the brctl show output:

Code:

bridge name	bridge id		STP enabled	interfaces
br0		8000.001999c93109	no		eth0
							vnet2

I also did a /sbin/ifconfig eth0 promisc in the VM.
Doing a tcpdump -i eth0 -n -s0 -e actually does show me traffic from the interface. But only Layer2 Broadcast Traffic:

Code:

root@looky:~# tcpdump -i eth0 -n -s0 -e
tcpdump: WARNING: eth2: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
13:08:06.618810 c4:64:13:xx:xx:xx > 01:00:0c:cc:cc:cc, 802.3, length 424: LLC, dsap SNAP (0xaa) Individual, ssap SNAP (0xaa) Command, ctrl 0x03: oui Cisco (0x00000c), pid CDP (0x2000): CDPv2, ttl: 180s, Device-ID 'CS1.router.com', length 402
13:09:01.367012 c4:64:13:xx:xx:xx > 01:00:0c:cc:cc:cc, 802.3, length 424: LLC, dsap SNAP (0xaa) Individual, ssap SNAP (0xaa) Command, ctrl 0x03: oui Cisco (0x00000c), pid CDP (0x2000): CDPv2, ttl: 180s, Device-ID 'CS1.router.com', length 402

So, how can i get the interface into forwarding every single packet?? (I'm not running any iptables or any other firewall)

thx 4 your help & greeetz myname

thisismyname · 07-09-2012, 08:27 AM

I solved the problem by manually typing: brctl setagingtime br0 0

There was no error generated. But the option bridge_agingtime 0 has been set in the /etc/network/interfaces.

How can I figure out where there's the error in my /etc/network/interfaces configuration? Is there a way to debug the /etc/network/interfaces??