Hello,
I am trying to explain a strange behaviour I see with a FreeBSD guest I have on an external hypervisor.
My guest seems to work correctly now. I had to play with receive and transmit checksum options for external interface.
My guest's configuration:
FreeBSD 11.4 amd64 with virtio devices (disk, iface, ... )
I don't have access to the host. I'm just hosted on this hypervisor. I just know it is a proxmox host.
When I do a tcpdump on the external interface (vtnet0), I see a lot of traffic that is not for my node. I mean it's not only a broadcast traffic but packets for different services and different nodes.
Following is a part of a capture session:
Source traffic is from nearly all over the world. Destination traffic is for the same range of adresses my IP belongs to. For both, source and destination, I exclude broadcast/multicast/arp traffic from the analysis, because it is a more normal traffic.
Another point is that, from the capture, traffic is only seen in one direction. From "world" to "ip range" and not the opposite.
I wonder how is it possible ? I mean I shouldn't see all this come to my host except the broad/multi/arp. Or am I missing something ?
Maybe someone have any idea to explain that.
Thanks,
K.
I am trying to explain a strange behaviour I see with a FreeBSD guest I have on an external hypervisor.
My guest seems to work correctly now. I had to play with receive and transmit checksum options for external interface.
My guest's configuration:
FreeBSD 11.4 amd64 with virtio devices (disk, iface, ... )
I don't have access to the host. I'm just hosted on this hypervisor. I just know it is a proxmox host.
When I do a tcpdump on the external interface (vtnet0), I see a lot of traffic that is not for my node. I mean it's not only a broadcast traffic but packets for different services and different nodes.
Following is a part of a capture session:
Code:
reading from file ./issuetraff.dump, link-type EN10MB (Ethernet)
21:02:38.532822 IP xxx.xxx.xxx.12.41080 > xxx.xxx.xxx.203.3389: tcp 0
21:02:38.552592 IP xxx.xxx.xxx.22.13647 > xxx.xxx.xxx.60.8082: UDP, length 85
21:02:38.552614 IP xxx.xxx.xxx.17.53476 > xxx.xxx.xxx.217.3389: tcp 0
21:02:38.569288 IP xxx.xxx.xxx.13.43634 > xxx.xxx.xxx.217.7533: tcp 0
21:02:38.595649 IP xxx.xxx.xxx.244.2655 > xxx.xxx.xxx.37.445: tcp 0
21:02:38.600504 STP 802.1s, Rapid STP, CIST Flags [Proposal, Learn, Forward, Agreement], length 102
21:02:38.629172 IP xxx.xxx.xxx.144.3389 > xxx.xxx.xxx.8.3389: tcp 0
21:02:38.696554 IP xxx.xxx.xxx.74.54712 > xxx.xxx.xxx.40.445: tcp 0
21:02:38.700867 ARP, Request who-has xxx.xxx.xxx.123 tell xxx.xxx.xxx.122, length 46
21:02:38.779324 IP xxx.xxx.xxx.102.60373 > xxx.xxx.xxx.88.3389: tcp 0
21:02:38.798619 IP xxx.xxx.xxx.25.52563 > xxx.xxx.xxx.86.7193: tcp 0
21:02:38.802164 IP xxx.xxx.xxx.13.41912 > xxx.xxx.xxx.203.3389: tcp 0
21:02:38.807355 IP xxx.xxx.xxx.198.50893 > xxx.xxx.xxx.77.49189: tcp 0
21:02:38.819390 IP xxx.xxx.xxx.208.57691 > xxx.xxx.xxx.37.443: tcp 0
21:02:38.852833 IP xxx.xxx.xxx.64.32963 > xxx.xxx.xxx.186.25718: tcp 0
21:02:38.858586 IP xxx.xxx.xxx.90.64090 > xxx.xxx.xxx.7.445: tcp 0
21:02:38.859531 IP xxx.xxx.xxx.11.56320 > xxx.xxx.xxx.217.3389: tcp 0
21:02:38.887149 IP xxx.xxx.xxx.9.63480 > xxx.xxx.xxx.186.13000: tcp 0
21:02:38.909718 IP xxx.xxx.xxx.13.43634 > xxx.xxx.xxx.66.7565: tcp 0
21:02:38.968935 IP xxx.xxx.xxx.225.34664 > xxx.xxx.xxx.88.3389: tcp 0
21:02:38.985969 IP xxx.xxx.xxx.12.59700 > xxx.xxx.xxx.203.3389: tcp 0
21:02:39.013863 IP xxx.xxx.xxx.208.43929 > xxx.xxx.xxx.244.23: tcp 0
21:02:39.022850 IP xxx.xxx.xxx.76.50995 > xxx.xxx.xxx.105.52869: tcp 0
21:02:39.039853 IP xxx.xxx.xxx.17.59146 > xxx.xxx.xxx.203.3389: tcp 0
21:02:39.079838 IP6 fe80::250:56ff:fe00:1f8.546 > ff02::1:2.547: UDP, length 104
21:02:39.080307 IP6 fe80::250:56ff:feb6:f99d > ff02::1:ff00:1f8: ICMP6, neighbor solicitation, who has fe80::250:56ff:fe00:1f8, length 32
21:02:39.102900 IP xxx.xxx.xxx.105.38830 > xxx.xxx.xxx.203.3389: tcp 0
21:02:39.111294 IP xxx.xxx.xxx.16.59492 > xxx.xxx.xxx.217.3389: tcp 0
21:02:39.112860 IP xxx.xxx.xxx.93.15290 > xxx.xxx.xxx.30.445: tcp 0
21:02:39.131126 IP xxx.xxx.xxx.180.64577 > xxx.xxx.xxx.244.445: tcp 0
Source traffic is from nearly all over the world. Destination traffic is for the same range of adresses my IP belongs to. For both, source and destination, I exclude broadcast/multicast/arp traffic from the analysis, because it is a more normal traffic.
Another point is that, from the capture, traffic is only seen in one direction. From "world" to "ip range" and not the opposite.
I wonder how is it possible ? I mean I shouldn't see all this come to my host except the broad/multi/arp. Or am I missing something ?
Maybe someone have any idea to explain that.
Thanks,
K.