Hi,
I am looking for some direction on how to configure KVM networking so that
a promiscuous bridge/host nic/guest nic allows two different network
monitoring packages to sniff the same physical traffic.
The idea is to run a commercial package on the CentOS 6.5 host and Snort,
via Security Onion, on the guest, both being fed by a physical switch SPAN
or physical firewall TAP.
The host has two NICs, one for management and one for sniffing. I am using
libvirt and libvirt-manager to supplement configuration.
I have basic bridge networking configured and connected on the management
NIC, but I can't seem to figure out the missing piece for getting physical
network traffic from the SPAN/TAP port to the Xubuntu guest NIC for
sniffing.
I have seen mention of setting the bridge aging time to 0, but that did not
seem to work and the only place I could find to verify the setting was by
running brctl showmacs <brisge name>. I have also seen posts saying this
was more of a workaround, without discussing an alternate method.
I have tinkered with setting the host nic, bridge, and guest nic to
promiscuous mode, only to see relatively equal traffic climb on the host
nic and bridge, but not the guest nic.
Other searched have turned up discussions about tunctl and its
implementation, so at this point I figured a reality check was in order.
Is this idea feasible? If so, where should I be looking for information on
how to implement it?
Thanks in advance for any pointers.
Show replies by date