Hi,

Hoping somebody can help me...

My setup:

I have a debian server with multiple KVM guests on it. I have set up a bridge (br0) with a dedicated IP address on the host server that the guest virtual interfaces use.

KVM Guest 1: 78.x.x.100
KVM Guest 2: 78.x.x.110

Recently I needed to inspect traffic on the first guest, so from the host server I ran:

ngrep "" "host 78.x.x.100" -dbr0

As well as the expected traffic:
x.x.x.xort -> x.x.x.xort

I'm seeing lots of entries showing traffic from the 2nd guest to the 1st guest:
78.x.x.110 -> 78.x.x.100 5:1

I've not seen ngrep output before that doesn't show port numbers after each IP address - could anybody tell me what the 5:1 means?

Puzzled by this, I then ran:

ngrep "" "host 78.x.x.110" -dbr0

to inspect traffic from the 2nd guest.

Weirdly, I was seeing traffic from that was appearing to originate from the 2nd guest that should have been originating from the 1st guest...

78.x.x.110 -> 78.x.x.100 5:1

** IMAP TRAFFIC **

and the next line of output would repeat the same traffic but from the correct originiating IP to the remote client.

78x.x.x.100:143 -> x.x.x.xxxx

** SAME IMAP TRAFFIC **


Worth mentioning that I don't have ssh access to the 2nd guest (I do have access to the first guest) and don't know what is going on inside it, but there shouldn't be any traffic between the 2 guests.

Any ideas?

Thanks,
Colin.