1

So I want to sniff the traffic from a virtual bridge (virbr2) from a virtual machine. I can successfully sniff virbr2 directly from the host machine, but when setting that interface to the virtual machine I don't see anything. This is the network configuration of the virtual machine (virsh edit): 

<interface type='bridge'>
  <mac address='52:54:00:78:11:bf'/>
  <source bridge='virbr2'/>
  <model type='rtl8139/>
  <alias name='net1'/>
  <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
</interface>

Then I get nothing, then I've tried to create a tap interface with: 

ip tuntap add tap20 mode tap
ip link set tap20 master virbr2
ip link set tap20 up

it resolves to: 

<interface type='bridge'>
  <mac address='52:54:00:78:11:bf'/>
  <source bridge='tap20'/>
  <model type='e1000'/>
  <alias name='net1'/>
  <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
</interface>

And I can only see broadcast traffic...

Which would be the correct approach and why is it not working?

I'm running Debian 9 and virsh as root.

Thanksss!!!!

ignasivt
  • 11

2 Answers2

0

Have you tried 'tethereal/Wireshark' as it is suggested in the comment by Biwsa ?

As the bridge interface is in the same Kernel space as the main interface it is possible to sniff the virbr2 interface.

Yuliyan T.
  • 76
0

So apparently the br interfaces are managed by the linux kernel, and are configured as a switch, so only the packets going to a given interface will reach that virtual interface. To change that behaviour a way to do it is to run 'brctl setageing 0'.

ignasivt
  • 11