All geek questions in one place

In QEMU, is it possible to intercept packets sent / received by the Linux Guest operating system?

We are doing a small project that involves monitoring a guest OS (e.g. Linux) from the hypervisor level (i.e. QEMU). One of the things we want to monitor is the network traffic going to / from the guest OS. Can this be done without changing the guest OS?

One way to do this is to intercept the corresponding system calls that are created when creating the sockets, and extract the values โ€‹โ€‹from the corresponding registers as the instructions are executed. But we are not too sure if this is easy or if this is the right way to do it.

+6
source share
4 answers

From the QEMU documentation :

-net dump[,vlan= n ][,file= file ][,len= Len ]

Dump network traffic in VLAN n to a file ( qemu-vlan0.pcap by default). Maximum len bytes (64k by default) for each packet. the file format is libpcap, so it can be analyzed using tools such as tcpdump or Wireshark.

You can also track in real time by running Wireshark on the host if you are --net tap .

+2
source

In addition to @ usr57368, the answer is - For devices created using -netdev, use -object filter-dump, ... instead of -net dump:

 -object filter-dump,id=id,netdev=dev,file=filename][,maxlen=len]

Reset network traffic on netdev dev to the file specified in the file name. No more than len bytes are stored (default 64k). The file format is libpcap, so it can be analyzed using tools such as tcpdump or Wireshark.

+2
source

use a program called wireshark. Enter the search filter (ip.src eq [IP] or ip.dst eq [same ip]) and it will tell you all the data coming to and from this computer. Useful for searching deeper in it interaction with the network or certain actions.

0
source

Since qemu is open source, you can get the source code and paste the code into a network device emulation to capture and register data packets as they arrive through the device. For example, see the virtio_net_flush_tx () Procedure in hw / virtio-net.c.

0
source

Source: https://habr.com/ru/post/886270/

More articles:


All Articles