Tcpdump traffic originating in VM

Discussion in 'General Questions' started by PederK, Oct 20, 2010.

  1. PederK

    PederK Bit poster

    Messages:
    2
    I have a LiveCD image that I'm being asked to trust. Being a sysadmin, I'm naturally paranoid, so I don't. I'd like to see that the LiveCD doesn't do anything more than it says it's doing before I let it near any actual data. An easy way of checking that it doesn't talk to machines it shouldn't would be to pop it into a fresh VM and tcpdump the virtual network interface on the mac side. Or so I thought.

    The tcpdump didn't even show the expected traffic. I can start a shell in the VM and ping a host, or connect to a http port, without any packets being captured. It seems this is a known issue: http://forum.parallels.com/showpost.php?p=425658&postcount=11, but the statement at the end that it doesn't affect anything is something I respectfully disagree with. It certainly affects my use-case. If I can't figure out how to do this, I'll probably have to muck about with physical hardware and wires.

    The referred post says "sometimes". Does that mean there are circumstances where the traffic becomes visible? If so, how do I do that?

    I have parallels desktop 5 for mac, build 5.0.9376, running on a Macbook Pro. The VM I set up has shared networking, and the LiveCD is Linux based and comes up with a complete desktop environment. I have tcpdumped vnic0 and vnic1 with identical lack of results (vnic0 is the interface on the same subnet as the VM's IP). Tcpdumping the external interface on the Macbook shows the traffic as originating on the IP address of that interface, not forwarded from the VM. But the traffic on the external interface is mixed with other traffic from the mac and thus hard to analyze.
     
  2. Elric

    Elric Parallels Team

    Messages:
    1,718
    Likely the feature will be implemented in the next major version of PD.. it is slightly complicated to insert without thorough testing

    I can suggest to send you (in week or two) version of driver that makes VM-traffic visible for tcpdump, but it works slightly slower then original, although difference will not be visible for 100Mbit networking
     
  3. PederK

    PederK Bit poster

    Messages:
    2
    Thanks, that would be very helpful. 100Mbit is plenty for my needs.
     
  4. Elric

    Elric Parallels Team

    Messages:
    1,718
    Unfortunately after some efforts to implement this I realized that the is more complicated then I expected. It just doesn't fit to plans. Seems that this feature will only be done in next version of ParallelsDesktop -(
     
  5. elventear

    elventear Bit poster

    Messages:
    9
    I use Parallels 9 and I can't still be able to capture traffic. Is this feature available but hidden? Or not available at all?
     
  6. Elric

    Elric Parallels Team

    Messages:
    1,718
    Sorry. It is still impossible to capture traffic via tcpdump on host. The workaround is to run second VM and tcpdump in it.
     

Share This Page