RE: Ghost traffic seen in all guest on a kvm hypervisor

[Joel Gerber <Joel.Gerber@xxxxxxxxxxxxxxxx>]

If the bridge was acting as a hub, then the frames would pass through the hypervisor to the virtual NIC on the guest. If the frame was unicast, then the NIC would drop it, if the packet had a broadcast Ethernet address, then the frame would pass the NIC and hit the OS.

Have you checked the packets to verify whether the destination MAC address was all f's? Have you verified that this isn't multicast traffic?

Another question I would have, are the frames you're seeing in unexpected places coming in on interfaces that do not belong to the same bridged network? IE: If your hypervisor has 2 separate bridged networks called A and B, and guest A only belongs to network A while guest B only belongs to network B, is guest B seeing packets come in on its interface that should've only belonged to network A?

Joel Gerber
Network Specialist
Network Operations
Eastlink
E: Joel.Gerber@xxxxxxxxxxxxxxxx T: 519.786.1241
-----Original Message-----
From: lartc-owner@xxxxxxxxxxxxxxx [mailto:lartc-owner@xxxxxxxxxxxxxxx] On Behalf Of Dennis Jacobfeuerborn
Sent: March-24-14 6:45 AM
To: Wolfgang Hennerbichler
Cc: lartc@xxxxxxxxxxxxxxx
Subject: Re: Ghost traffic seen in all guest on a kvm hypervisor

This is a Centos 6 System and I haven't set the aging explicitly but from the output of showstp it seems the aging is set to a non-zero value by default:

# brctl showstp vlanbr8
vlanbr8
  bridge id              8000.00259035bc06
  designated root        8000.00259035bc06
  root port                 0
  path cost                 0
  max age                  19.99
  bridge max age           19.99
  hello time                1.99
  bridge hello time         1.99
  forward delay            14.99
  bridge forward delay     14.99
  ageing time             299.95
  hello timer               1.85
  tcn timer                 0.00
  topology change timer     0.00
  gc timer                 15.85
  hash elasticity           4
  hash max                512
  mc last member count      2
  mc init query count       2
  mc router                 1
  mc snooping               1
  mc last member timer      0.99
  mc membership timer     259.96
  mc querier timer        254.96
  mc query interval       124.98
  mc response interval      9.99
  mc init query interval   31.24
  flags

The question though is that even if the bridge acted as a hub wouldn't the guest drop the packets anyway since the MAC doesn't match? In other words I would expect to see the packets on the interface with tcpdump but not that the traffic gets counted as incoming traffic on the interface.

Regards,
   Dennis

On 24.03.2014 08:04, Wolfgang Hennerbichler wrote:
> Make sure your bridge doesn't have an "bridge_maxage 0" configured or otherwhise your software-switch will behave like a hub.
>
> On Mon, Mar 24, 2014 at 02:57:37AM +0100, Dennis Jacobfeuerborn wrote:
>> Hi,
>> I have a problem on a kvm hypervisor that I cannot explain. It 
>> appears that some traffic shows up in the interface monitoring in all 
>> of the guests on that hypervisor. We are not using broadcasts in any 
>> way and I see peaks of 100mbit for several minutes on all of these 
>> systems.
>>
>> Does anybody have an idea what could cause this?
>>
>> Regards,
>>    Dennis
>> --
>> To unsubscribe from this list: send the line "unsubscribe lartc" in 
>> the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo 
>> info at  http://vger.kernel.org/majordomo-info.html
>

--
To unsubscribe from this list: send the line "unsubscribe lartc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at  http://vger.kernel.org/majordomo-info.html
��.n��������+%������w��{.n����j�\�)��jg��������ݢj����G�������j:+v���w�m������w�������h�����٥