[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] Snort monitoring of Xen guests

To: xen-users@xxxxxxxxxxxxxxxxxxx
From: Mark Chandler <mcl@xxxxxxxxxxx>
Date: Sun, 27 Apr 2008 15:22:37 +1000
Delivery-date: Sat, 26 Apr 2008 22:23:11 -0700
List-id: Xen user discussion <xen-users.lists.xensource.com>

Hi all,

From another post on this list, it seems that the only way to monitorall traffic to guests in a host is to bind to the peth interface that isbound to the bridge that serves the guests. Is this the only way ofdoing it? Ideally, I'd like to have one guest running Snort thatmonitors everything else.

I've tried using tcpdump to monitor traffic on various interfaces, butI've never had a completely satisfactory result. On guest interfaces, Ican only see traffic for that guest (this seems to be a feature); onDom0 I get a long pause (10-20s), then I start to see packets. Also,with the Dom0 monitoring, I can only seem to see traffic on the pethinterface. Binding to vif0.0 gives me nothing interesting.

At the moment, I'm researching the use of tc (traffic control) to mirrortraffic to another device to get the effect of a monitor port on thexen-bridge.


Any help on this would be very appreciated.

Mark C.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

Follow-Ups:
- RE: [Xen-users] Snort monitoring of Xen guests
  - From: James Harper
- Re: [Xen-users] Snort monitoring of Xen guests
  - From: John Haxby

Prev by Date: Re: [Xen-users] dd trough scp with tar
Next by Date: [Xen-users] Question about hiding pci devices.
Previous by thread: Re: [Xen-users] Release 0.8.9 of GPL PV drivers for Windows
Next by thread: Re: [Xen-users] Snort monitoring of Xen guests
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.