Identificar trafego pelo HV e identificar a VM

  Onapp

Acessar o ssh da HV para pesquisar algum trafego via tcpdump

Ex, acessei uma HV de Miami.
Estou monitorando 200 pacotes na interface eth0 para o IP de destino 219.128.79.164

Lembrando que a interface neste caso de Miami é utiliza eth0 para o trafego publico.

[root@38.143.71.130 ~]# tcpdump -eni eth0 host 219.128.79.164 -c200
Output: 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
15:54:48.010875 00:16:3e:d4:8c:89 > e4:f0:04:c5:11:55, ethertype IPv4 (0x0800), length 937: 38.143.70.114.932 > 219.128.79.164.metagram: Flags [SE], seq 61079848:61080731, win 63242, length 883
15:54:48.010945 00:16:3e:d4:8c:89 > e4:f0:04:c5:11:55, ethertype IPv4 (0x0800), length 903: 38.143.68.124.32575 > 219.128.79.164.metagram: Flags [SE], seq 2134844212:2134845061, win 65185, length 849
15:54:48.011026 00:16:3e:d4:8c:89 > e4:f0:04:c5:11:55, ethertype IPv4 (0x0800), length 913: 38.143.70.134.18312 > 219.128.79.164.metagram: Flags [SE], seq 1200138522:1200139381, win 61677, length 859
15:54:48.011096 00:16:3e:d4:8c:89 > e4:f0:04:c5:11:55, ethertype IPv4 (0x0800), length 916: 38.143.70.217.18083 > 219.128.79.164.metagram: Flags [SE], seq 1185106214:1185107076, win 63053, length 862
15:54:48.011164 00:16:3e:d4:8c:89 > e4:f0:04:c5:11:55, ethertype IPv4 (0x0800), length 916: 38.143.68.215.55349 > 219.128.79.164.metagram: Flags [SE], seq 3627375894:3627376756, win 62714, length 862
15:54:48.011238 00:16:3e:d4:8c:89 > e4:f0:04:c5:11:55, ethertype IPv4 (0x0800), length 918: 38.143.69.220.42571 > 219.128.79.164.metagram: Flags [SE], seq 2789996377:2789997241, win 62761, length 864
15:54:48.011317 00:16:3e:d4:8c:89 > e4:f0:04:c5:11:55, ethertype IPv4 (0x0800), length 916: 38.143.68.106.63525 > 219.128.79.164.metagram: Flags [SE], seq 4163210799:4163211661, win 64185, length 862
15:54:48.011391 00:16:3e:d4:8c:89 > e4:f0:04:c5:11:55, ethertype IPv4 (0x0800), length 934: 38.143.70.89.3092 > 219.128.79.164.metagram: Flags [SE], seq 202668346:202669226, win 65132, length 880
...
cut
...

Agora sabemos que o MAC address e vamos buscar quem esta utilizando este MAC
Lembrando que jhrvjeuszyvvrd é o identifier da rede de Miami(MIA1-LETSCLOUD). Você consegue este identifier neste link https://mgmt.letscloud.io/settings/networks 

[root@38.143.71.130 ~]# brctl showmacs jhrvjeuszyvvrd | grep 00:16:3e:54:24:dc
Output: 
54 00:16:3e:d4:8c:89 no 0.00
[root@38.143.71.130 ~]# brctl showstp jhrvjeuszyvvrd | grep "(54)"
Output: 
qankoatbhtrneu (54)
qankoatbhtrneu é o identifier da network utilizada pela VM. Com este identifier iremos buscar no iptables o IP atrelado. 
[root@38.143.71.130 ~]# iptables -vnL | grep qankoatbhtrneu
Output: 
2 134 ACCEPT all -- * * 38.143.69.26 0.0.0.0/0 PHYSDEV match --physdev-in qankoatbhtrneu --physdev-out eth0 --physdev-is-bridged
17M 3569M qankoatbhtrneu all -- * * 0.0.0.0/0 38.143.69.26 PHYSDEV match --physdev-out qankoatbhtrneu --physdev-is-bridged
Chain qankoatbhtrneu (1 references)
[root@38.143.71.130 ~]#
Agora sabendo o IP, basta consultar no UI o IP para saber a VM ou senão através de uma query no banco de dados: 
SELECT * FROM virtual_machines AS VM
INNER JOIN networking_network_interfaces AS N ON N.virtual_machine_id = VM.id
WHERE N.mac_address = '00:16:3e:54:24:dc'