lo interface traffic, tracking connections to webserver

[drazen]

Hi to all!

i'm using VirtualBox on a Windows Host and have created a Ubuntu Guest and have a NAT and a second host-only adapter. On the Ubuntu Guest, i have a webserver running and Snort. What i want is to capture traffic that is sent from the Guest to the Guest itself (to the webserver especially, so port 80). When i start Snort, i'm capturing the traffic from the lo interface. If i start opening connections from Guest to Guest i dont see any packets coming.
Also, if i tcpdump the lo interface, i can see these packets.

If i capture the eth1 interface traffic, and send packets (or open connections) from the Host to the Guest's port 80, i can see them coming. What is going wrong? What should i change to see these packets-connections??

thanks in advance,
Alex.

[Perryg]

Sounds like the web server is set to use the eth* interface instead of lo.

[drazen]

well, in my "/apache2/sites-available/mysite" i have

ServerName 192.168.***.***

which is the eth1 inet address. I should change that to 127.0.0.1 ???? i'm a newbie to all this stuff so i need your help in this also!!!

[Perryg]

While I am not sure exactly what it is you are actually trying to achieve, if you want to monitor explicit traffic from/to the guest you would need to have the web server actually using that segment.

[drazen]

what segment? what do you mean by segment?

[BillG]

If you want to monitor network traffic, it helps if you know a little about networks!

Network monitors can only capture traffic which actually flows in the network it is monitoring. If the traffic is using some other bit of the network (ie another segment) the sniffer is not going to see it.

If you really want to monitor only traffic flowing between guest systems put them in an internal network and give them only one NIC each. You then only have one segment and there is no other route the traffic can use.