Network Sniffing from a Guest
Posted: 7. Mar 2009, 18:45
I am using VirtualBox 2.1.4 and host networking and trying to sniff the network traffic that reaches the host interface from a Linux Guest that is bound to a specific host network interface.
Host config:
eth1 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX
inet6 addr: XXXX::XXXX:XXXX:XXXX:3XXXX/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:4360474 errors:0 dropped:0 overruns:0 frame:0
TX packets:2912 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2679285500 (2.4 GiB) TX bytes:609838 (595.5 KiB)
Memory:d3060000-d3080000
Guest config (eth1 on the Guest is bound to eth1 on the host):
eth1 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX
inet6 addr: XXXX::XXXX:XXXX:XXXX:3XXXX/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:6078 errors:0 dropped:0 overruns:0 frame:0
TX packets:33 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:919669 (898.1 KiB) TX bytes:5314 (5.1 KiB)
Base address:0xc040 Memory:f0820000-f0840000
With this configuration I would expect to be able to run a tcpdump command on both the Host and the Guest and see the same data. Unfortunately, this is not the case as the network packets sent on to the guest are limited to broadcast packets. I have port mirroring set up on my switch to copy traffic to this interface, and I am seeing that additional traffic on my Host interface. Using Wireshark also produces similar results.
I ran a similar setup with VMWare, so this appears to be a problem with VirtualBox.
Any ideas?
Host config:
eth1 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX
inet6 addr: XXXX::XXXX:XXXX:XXXX:3XXXX/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:4360474 errors:0 dropped:0 overruns:0 frame:0
TX packets:2912 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2679285500 (2.4 GiB) TX bytes:609838 (595.5 KiB)
Memory:d3060000-d3080000
Guest config (eth1 on the Guest is bound to eth1 on the host):
eth1 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX
inet6 addr: XXXX::XXXX:XXXX:XXXX:3XXXX/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:6078 errors:0 dropped:0 overruns:0 frame:0
TX packets:33 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:919669 (898.1 KiB) TX bytes:5314 (5.1 KiB)
Base address:0xc040 Memory:f0820000-f0840000
With this configuration I would expect to be able to run a tcpdump command on both the Host and the Guest and see the same data. Unfortunately, this is not the case as the network packets sent on to the guest are limited to broadcast packets. I have port mirroring set up on my switch to copy traffic to this interface, and I am seeing that additional traffic on my Host interface. Using Wireshark also produces similar results.
I ran a similar setup with VMWare, so this appears to be a problem with VirtualBox.
Any ideas?