Is it possible to monitor network traffic between different Virtual machines on the same physical machine using Bro?
Thanks.
Joshi Pradyumna
Computer Center,
Homi Bhabha National Institute,
Mumbai.
This is really a specific version of the more general question, is it possible
to sniff traffic between VMs on the same physical host? The answer is, it
depends: what virtualization tool is being used? If it's VMware vSphere, then
yes:
https://blogs.vmware.com/vsphere/2011/08/vsphere-5-new-networking-features-port-mirroring.html
I don't know of this capability existing on any other virtualization platform.
Thanks Aashish for the quick response.
Your response has provided one more option for me - to run workers on VM instances and run manager on Host.
I was thinking of using multiple options and was not sure which one to go for:
-
Using Daemonlogger for capturing traffic from bridged interfaces and feeding this traffic to Bro.
-
Using OpenvSwitch to achieve bridge functionality and feed it to Bro. From the docs, it is seen that OVSDB supports full virtual switch management functionality.
I wanted to know if anybody in Bro Community had implemented similar solutions and wanted to know their experiences/feedback.
regards,
- Pradyumna Joshi
Adding a little to this, we just started playing with running Bro on a VM to monitor VM-to-VM traffic on a HP bladesystem running VMWare using the port mirroring that Shane mentioned. It’s going well enough that I’m considering deploying it on all the other bladesystems as well.
Actually, we’re using it as a monitoring point for VM to non-VM traffic as well since it sees everything coming in-out of the chassis as well.
-Dop
I think openswitch and port mirroring that Shane mentioned look like very promising options. Much better than clusterify the virtual machines.
While, I haven't run bro on VM systems, I would be very interested in the performance numbers, if any of you have those in future, please do share.
Thanks,
Aashish