In QEMU, is it possible to intercept packets being sent/received by the Linux Guest OS?

Question

We are doing a little project that involves monitoring the Guest OS (for example Linux) from the hypervisor layer (i.e. QEMU). One of the things that we want to monitor is network traffic going in/out of the Guest OS. Is it possible to do so without modifying the Guest OS?

One way to do it is to intercept the relevant syscalls which are made when sockets are created and fetch the values from the relevant registers as the instructions are being executed. But we are not too sure if it is easy or if its the right way to do it.

Answer 1

In addition to @usr57368 answer - For devices created with ’-netdev’, use ’-object filter-dump,...’ instead -net dump:

-object filter-dump,id=id,netdev=dev,file=filename][,maxlen=len]

Dump the network traffic on netdev dev to the file specified by filename. At most len bytes (64k by default) per packet are stored. The file format is libpcap, so it can be analyzed with tools such as tcpdump or Wireshark.

Answer 2

Since qemu is open source, you can get the source and insert code into the network device emulation to capture and log the data packets as they come through the device. For example, see the virtio_net_flush_tx() routine in hw/virtio-net.c.

Answer 3

From the QEMU documentation:

-net dump[,vlan=n][,file=file][,len=len]

Dump network traffic on VLAN n to file file (qemu-vlan0.pcap by default). At most len bytes (64k by default) per packet are stored. The file format is libpcap, so it can be analyzed with tools such as tcpdump or Wireshark.

You should also be able to monitor in real-time by running Wireshark on the host if you --net tap.

Answer 4

use a program called wireshark. Enter the search filter (ip.src eq [IP] or ip.dst eq [same ip]) and, it will tell you all the data going to and from that computer. Useful for looking deeper into it's interaction with the network, or certain actions.