Centos – Can’t see traffic in the guest OS with tcpdump

I don't know if this will help but I just ran into a similar problem while troubleshooting keepalived on two Linux KVM guests each running Ubuntu 10.04. I found that while running tcpdump -i eth1 would see the multicast addresses (which is a different subnet then the IP assigned to the NIC) but if I ran tcpdump -i any it wouldn't. I did some further testing of tcpdump while monitoring dmesg and found when I used the eth1 device on tcpdump it would put the NIC into promiscuous but when using the "any" device, neither eth0 or eth1 entered promiscuous. This contrary to how it's handled on a physical host where "any" puts all NIC's into promiscuous or at least on the hosts I tested with.

I ran the command ip link set eth1 promisc on and then when I used the "any" device, it was now able to see the traffic. This applied equally to eth0 however I know the traffic I wanted wasn't coming there so I only did this to test. You can save this for the host by editing /etc/network/interfaces and adding a line beginning with "post-up " followed by the command you just used and this ensures the device enters promiscuous when the best is booted.

I don't believe a NIC would normally need to in promiscuous to see multicast traffic but in this case with the KVM guest it seems that was the case and it appears if the device is not set to promiscuous then it only sees IP packets on a subnet with the same IP as the NIC if not in promiscuous. Snort uses libpcap, the same library as tcpdump IIRC and if it's trying to set promiscuous via the any interface then it seems it's not succeeding where it should. I don't believe keepalive requires promiscuous under normal circumstances but in this case it seems to be the only way to see the multicast traffic.

Hope this helps.

Qemu simply maps the v-NIC to a tap, whatever you plug the tap into is up to you. Bridge is the obvious choice, but there's also openvswitch, for example.