Virtual machine as sniffer machine?? it possible??

[szympek1234]

Hi,
I want to use proxmox VM as virtual sniffing machine, i installed WS2003 on VM and
try to capture packets, network switch has enable port mirroring (WS2003, winpcap 4.11,
wireshark, windump, network card emulated: e1000, r8139, virtio witch promiscuous flag on
and off, firewall in windows off, this configuration worked on real machine very well
and capture all packets). The same problem appears on linux VM (ubuntu).

Please help

Proxmox version
=========================================
Version (package/version/build) pve-manager/1.5/4618
Kernel Version Linux 2.6.32-1-pve #1 (Kernel 2.6.10, 2.6.24 also)
Real network adapter: Intel PRO/100S dual port server adapter (i82550gy)

Sniffer on VM capture only broadcast and network packets send to/from my machine VM.
windows guest
=========================================
>windump -i eth1 -n -N -l
08:36:20.022680 arp who-has 10.11.17.179 tell 10.11.17.100
08:36:20.038255 arp who-has 10.12.12.102 tell 10.12.12.39
08:36:20.041482 IP 192.168.130.107.53425 > 224.0.0.252.5355: UDP, length 23
08:36:20.041769 IP 192.168.130.107.53425 > 224.0.0.252.5355: UDP, length 23
08:36:20.060912 arp who-has 10.11.12.113 tell 83.238.201.25
08:36:20.060914 arp who-has 10.11.19.197 tell 10.11.19.100
08:36:20.078801 arp who-has 10.11.17.93 tell 10.11.17.100
08:36:20.079057 arp who-has 10.11.17.93 tell 10.11.17.100
08:36:20.209150 IP 192.168.13.171.3805 > 239.255.255.250.1900: UDP, length 101
08:36:20.192125 IP 192.168.113.190.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:1d:92:08:dc:20, length 300
08:36:20.192243 IP 192.168.113.190.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:1d:92:08:dc:20, length 300

Sniffer on proxmox capture all packets:
proxmox shell
=========================================
>tcpdump -i eth1 -n -N -l
08:02:28.913462 vlan 10, p 5, IP 212.182.18.160.52353 > 83.238.201.91.4321: P 72:108(36) ack 1 win 63
08:02:28.914205 vlan 10, p 0, IP 192.168.18.42.3263 > 95.211.95.53.80: . ack 103660 win 64240
08:02:28.914230 vlan 10, p 0, IP 192.168.220.2.16838 > 74.75.5.69.37745: UDP, length 101
08:02:28.914454 vlan 30, p 5, IP 192.168.18.42.3263 > 95.211.95.53.80: . ack 103660 win 64240
08:02:28.914647 vlan 30, p 7, IP 83.4.54.64.15522 > 192.168.120.111.3679: P 14336:14934(598) ack 1 win 64712
08:02:28.914715 vlan 30, p 5, IP 192.168.120.49.1550 > 87.248.217.216.80: . ack 4294965836 win 65535
08:02:28.915465 vlan 30, p 5, IP 192.168.120.145.1054 > 77.55.17.32.80: . ack 12692 win 65535
08:02:28.915479 vlan 30, p 7, IP 111.192.11.94.16628 > 192.168.15.181.17295: UDP, length 53
08:02:28.915730 vlan 10, p 5, IP 87.248.216.13.80 > 192.168.113.18.1347: . 37148:38608(1460) ack 1 win 65535
08:02:28.915975 vlan 10, p 5, IP 85.17.147.37.80 > 83.238.201.170.2673: . 14520:15972(1452) ack 1 win 6432
08:02:28.916099 vlan 10, p 5, IP 87.248.216.13.80 > 192.168.113.18.1347: . 38608:40068(1460) ack 1 win 65535

proxmox network configuration
============================================================
>ifconfig
eth1
Link encap:Ethernet HWaddr 00:02:b3:d3:c6:ae
inet6 addr: fe80::202:b3ff:fed3:c6ae/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:1404791421 errors:110 dropped:0 overruns:40 frame:150
TX packets:178 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1008510484704 (939.2 GiB) TX bytes:33388 (32.6 KiB)

lo
Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:44845 errors:0 dropped:0 overruns:0 frame:0
TX packets:44845 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:11217154 (10.6 MiB) TX bytes:11217154 (10.6 MiB)

venet0
Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

vmbr1
Link encap:Ethernet HWaddr 00:02:b3:d3:c6:ae
inet6 addr: fe80::202:b3ff:fed3:c6ae/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:15086363 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:979910980 (934.5 MiB) TX bytes:180 (180.0 B)

vmtab101i2
Link encap:Ethernet HWaddr 00:ff:25:c1:b9:ff
inet6 addr: fe80::2ff:25ff:fec1:b9ff/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:9780959 errors:0 dropped:0 overruns:0 frame:0
TX packets:16735981 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:1163405393 (1.0 GiB) TX bytes:1712484235 (1.5 GiB)

proxmox network configuration (interfaces)
============================================================
# network interface settings
auto lo
iface lo inet loopback

auto eth1
iface eth1 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down

auto vmbr1
iface vmbr1 inet manual
bridge_ports eth1
bridge_stp off
bridge_fd 0

windows guest network configuration
=========================================
Description . . . . . . . . . . . : Qumranet ParaVirtualized Ethernet Adapter #2
Physical Address. . . . . . . . . : 66-D6-D6-A0-C0-EB
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.110.254
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.110.1
DNS Servers . . . . . . . . . . . : 192.168.110.1

 

[vlad]

Try setting the bridge forwarding delay and ageing time to zero.

# brctl setageingtime vmbr1 0
# brctl setfd vmbr1 0

This should make the bridge act as an old hub. I did not try this so don't even know if its going to work.