[PVE-User] Network Tap?

Tony Zakula tony at zakula.com
Tue Jun 22 18:25:52 CEST 2010


Thank you for your reply.  So basically, if I understand iptables, I
could do the accounting with that, but can I do it from the hardware
node?  If someone has root access to their VM, they could change the
iptables config to to bypass the accounting?  I was trying to do it
from outside the VM.  If I a mis-understand, please correct me.

Thanks,

Tony

On Tue, Jun 22, 2010 at 10:28 AM, rupi <rupi at rantanplan.org> wrote:
> hi,
>
> i am not aware of any 'real' port mirror setup, but you can do something
> like
> tcpdump -s 0 -i vminterface -w fifo
> and socat to get this on an other machine.
>
> if you simply want to do traffic accounting i would use iptables counters.
> this counters are overflow safe and accurate. simply add a rule in
> your firewall that matches the machine and don't do anything else.
>
> /r
>
> --
>  http://rantanplan.org/~rupi/ || encrypt email || use free software
>  fingerprint = 9639 0ABC AD2F 155F C96C  FC78 3CFE 82C0 0AF9 AE3A
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
>
> iEYEARECAAYFAkwg1oEACgkQPP6CwAr5rjrZogCeIe7ScNW8/RsSXO/1if5c6kQ1
> MEcAoKZg3zIx3pPDzQc6MiDZI5M1zJ7o
> =nJaE
> -----END PGP SIGNATURE-----
>
>



More information about the pve-user mailing list