问题描述
- 在虚拟机上eth0 ping 主机,为什么在其他出接口(eth1)tcpdump还能看到报文?
-
主机信息:连接特定的 DNS 后缀 . . . . . . . :
本地链接 IPv6 地址. . . . . . . . : fe80::998f:e20:1480:3aab%13
IPv4 地址 . . . . . . . . . . . . : 192.168.1.107
子网掩码 . . . . . . . . . . . . : 255.255.255.0
默认网关. . . . . . . . . . . . . : 192.168.1.1虚拟机信息(路由和ip地址):
eth0 Link encap:Ethernet HWaddr 00:0C:29:A0:55:ABinet addr:192.168.1.108 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fea0:55ab/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8313 errors:0 dropped:0 overruns:0 frame:0
TX packets:9646 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:612195 (597.8 KiB) TX bytes:2116557 (2.0 MiB)
Interrupt:19 Base address:0x2024eth1 Link encap:Ethernet HWaddr 00:0C:29:A0:55:B5
inet addr:192.168.1.109 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fea0:55b5/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1443 errors:0 dropped:0 overruns:0 frame:0
TX packets:55 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:128176 (125.1 KiB) TX bytes:5634 (5.5 KiB)
Interrupt:19 Base address:0x20a4eth2 Link encap:Ethernet HWaddr 00:0C:29:A0:55:BF
inet addr:192.168.1.110 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fea0:55bf/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8109 errors:0 dropped:0 overruns:0 frame:0
TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1117965 (1.0 MiB) TX bytes:1408 (1.3 KiB)
Interrupt:16 Base address:0x2424lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:20 errors:0 dropped:0 overruns:0 frame:0
TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1584 (1.5 KiB) TX bytes:1584 (1.5 KiB)[root@localhost ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 1 0 0 eth2
192.168.1.0 0.0.0.0 255.255.255.0 U 1 0 0 eth1
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0在虚拟机上进行如下操作:(去ping主机的ip地址,用eth0)
[root@localhost ~]# ping 192.168.1.107 -I eth0
PING 192.168.1.107 (192.168.1.107) from 192.168.1.108 eth0: 56(84) bytes of data.
64 bytes from 192.168.1.107: icmp_seq=1 ttl=64 time=0.492 ms
64 bytes from 192.168.1.107: icmp_seq=2 ttl=64 time=0.500 ms
64 bytes from 192.168.1.107: icmp_seq=3 ttl=64 time=1.13 ms
64 bytes from 192.168.1.107: icmp_seq=4 ttl=64 time=0.517 ms
64 bytes from 192.168.1.107: icmp_seq=5 ttl=64 time=0.381 ms
在虚拟机上抓包(抓eth2)
[root@localhost ~]# tcpdump -i eth2 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
18:11:46.945393 IP 192.168.1.108 > 192.168.1.107: ICMP echo request, id 54537, seq 8, length 64
18:11:46.945438 IP 192.168.1.107 > 192.168.1.108: ICMP echo reply, id 54537, seq 8, length 64
18:11:47.947676 IP 192.168.1.108 > 192.168.1.107: ICMP echo request, id 54537, seq 9, length 64
竟然可以抓到。
我就很疑惑,虚拟机的网卡都是桥连的,感谢大牛为我解决疑惑。
解决方案
本来所有虚拟网卡你抓包都可能抓到。
解决方案二:
虚拟机的三个口eth0/eth1/eth2都是桥接的?
可以把虚拟系统的桥接方式,理解为主机和所有的桥接口都连接到一个虚拟hub上。
所以,每个hub口都可以监听所有hub口上的流量。
按理说,实现成虚拟switch更合理一些,这跟monitor的实现有关系。
比如说,像virtual box,它的networking有一个选项,叫做Promiscumous Mode,可以取Deny All/Allow VMs/Allow All几个值,这个控制粒度就更进了一步。