Capture pcap for each VM

[icefrog1950]

Hi,

Is possible to capture pcaps for each VM individually? 

QEMU supports command line '-object filter-dump, file=test.pcap'.  I'm not sure 
if Libvirt supports this features, or there are better ways to solve this.

Many thanks.

Re: Running DHCP server inside of the Guest VM instead of the host.

[gameplayer2019pl--- via Users]

Starting radvd and adding `` fixed the issue. Thank you!

Re: Running DHCP server inside of the Guest VM instead of the host.

[Laine Stump via Users]

On 3/25/25 9:19 AM, gameplayer2019pl--- via Users wrote:

Hello,

I've recently tried to run KEA DHCP server inside of a Debian VM and the 
following host interface configuration, attached to that VM:
```

   netasn-dhcpv6
   
   
   
   
   
   

```

But whenever I'm trying to run dhclient on another Debian VM attached to the 
same network I couldn't obtain the IPv6 lease from KEA DHCP.
The host is as well running Debian, 12 version.

Is there anyway to make the DHCP work from Guest VM instead of using built-in 
libvirt DHCP?



I haven't tried it with IPv6 (and not even with IPv4 in a very long 
time), but as long as you don't have a  section under your , 
libvirt shouldn't be starting its own dhcp server on the bridge (and 
since you have  it shouldn't start up dnsmasq at all).


I suppose it *might* have something to do with the firewall rules added 
for the particular type of network - since you have no  
element, that network will be an "isolated" network, and will have 
firewall rules added to prevent any traffic from traveling beyond that 
bridge device / subnet; this shouldn't affect communications between two 
guests connected to the same network though. If you want to test that 
theory, add  to the network definition and restart 
it (then shutdown/restart both of your guests) - this will assure that 
no firewall rules will be added for the network.


You may also want to doublecheck any firewall rules on the guest that's 
running the DHCP server. Oh, and also try offering IPv4 IPs and see if 
the other guest gets an IPv4 address but not IPv6.

Re: Capture pcap for each VM

[Laine Stump via Users]

On 3/26/25 6:03 AM, icefrog1...@gmail.com wrote:

Hi,

Is possible to capture pcaps for each VM individually?

QEMU supports command line '-object filter-dump, file=test.pcap'.  I'm not sure 
if Libvirt supports this features, or there are better ways to solve this.


libvirt doesn't diredctly support this, but it should be (edit: is - 
I've now tried it) possible to make it work with , 
which is documented here:


 
https://blog.vmsplice.net/2011/04/how-to-pass-qemu-command-line-options.html


I also see from the docs about filter-dump:

 https://wiki.qemu.org/Documentation/Networking#Network_Monitoring

that

1) it will only work if the traffic is all going through QEMU userspace 
(which makes sense); since the default for libvirt is that virtio-net 
traffic will be processed in the host kernel, you'll need to add name='qemu'/> to the , and


2) because you need to give the "id" of the netdev you're trying to 
capture in the filter-dump options, you need to manually specify name='blah'/> in the  so that it will be a known/fixed value 
(normally it is auto-generated by libvirt at runtime).


So your  definition will need to be modified something like this:

  

< add this
  < and this
...
  


Once you've made that change, you'll need to add the  
bit, first by changing the first line of the domain definition from:




to



and then adding in the following bit immediately after  and 
before  at the end of the file:


  


  

A couple notes about this:

1) the value of "id" here is unimportant, it can be just about anything 
that hasn't already been used in the domain,


2) the setting of "netdev" is *not quite* the same as the "alias name" 
of the interface in libvirt's config; it is derived from that setting by 
prepending "host" (this is due to internal implementation details that 
normally the user doesn't see or care about; you're only seeing it 
because you're doing something that isn't supported :-))


3) The file *must* be in a directory where the UID used for running the 
qemu-kvm process has permissions to create and write to a file. The 
system (privileged) instance of libvirt normally runs the qemu-kvm 
process as user "qemu", and a session instance (unprivileged) will run 
qemu-kvm as the same UID as the process calling libvirt. In both cases 
it should work to give a name in /tmp, since generally any user can 
write to /tmp.



I tried this on a guest, started it, then ran

   tail /tmp/xyzzy.pcap | tcpdump

and it began spewing out reasonable-looking network traffic, so I guess 
it worked :-)


As for alternatives - normally I instead just run tcpdump (or wireshark 
or whatever) on the host-side tap device created as the backend for the 
guest netdev (you can find the name of this device by looking for 
"" in the output of "virsh dumpxml" of a running 
guest). Of course this won't work if you're using a type of networking 
that doesn't involve a tap (or macvtap) device, and also might miss the 
first few packets after the guest is started (depending on how quickly 
you can issue the "tcpdump -i blah" command after the tap device has 
been created as a part of starting up the guest). Another possibility is 
to run tcpdump/wireshark on the host bridge device that the tap is 
connected to.