Hello friends, hello Stefan , Thanks to your hints we succeeded to intercept network traffic between VMs.
Now we encountered yet one problem: Our security module (which is a LKM) performs security check and, when suspecting malicious activity at a VCPU, must suspend or even kill this VM. The problem is: how to suspend/kill a VCPU ? We have taken the following approach: 1. Accessing the VM list (struct list_head vms_list ) through the kallsyms interface 2. Iterating through VMs, reaching every VCPU (as a structure struct kvm_vcpu *vcpu) 3. Running security check on every such structure. That is we were seeking for a function like cpu_reset(struct kvm_vcpu*vcpu) The following "reset funtions" were so far tried (taken from kvm_host.h) 1. kvm_vcpu_uninit and kvm_x86_ops->vcpu_free. These cause the whole system (both host and guest OSs) hang. 2. kvm_vcpu_reset and kvm_arch_vcpu_free lead to the linker error "Warning! Function undefined". Which "reset function" could you recommend ? Thanks in advance, an Israeli team (Mark, Martin, Boaz and Alex) On Thu 19 Dec 11:05 2013 Stefan Hajnoczi wrote: > On Wed, Dec 18, 2013 at 01:53:56PM +0200, Alexander Binun wrote: > > We are trying to monitor the traffic (network packets etc) between VMs in > > KVM. We succeeded to get the address of the system call table (see > > http://syprog.blogspot.co.il/2011/10/hijack-linux-system-calls-part-iii.html) > > and intercept the system calls going through the kernel. > > > > In such a way we see ALL system calls (including those which were not > > initiated from within VMs). > > You do not see guest system calls when you hook host system calls. You > only see host system calls (including those made by QEMU). > > > How can we filter out the system calls not related to VMs ? What is your > > opinion regarding our approach ? > > Maybe I'm missing context for this discussion but I wouldn't intercept > sytems calls in order to monitor VM network traffic. > > You can monitor VM traffic using libpcap on the VM's tap interface on > the host. If you want fancier deep packet inspection, Open vSwitch > offers a flow-based interface so you can monitor just certain > conversations. > > Stefan >