1

I have a VPC network set up in google cloud with a few instances running. One of these instances serves as a VPN machine, allowing me to interact with the instances from the internet.

I want to capture traffic:

  1. From the internet to the VPC network. For this I simply use tcpdump on the vpn machine.
  2. Internally, i.e. packets between the instances. And that I don't know how to do. I cannot rely on my instances (using tcpdump directly in them isn't an option in my case). Instead, because in VPCs there is no "real" network layer 2 as it is virtualized, I was hoping that it would be possible to somehow tap into the cloud router and capture all packets from there, but it doesn't seem to be possible. Or is it?

Does anybody have an idea on what I could do here? Would be much appreciated. Thanks!

AleVe
  • 11
  • 1
  • 3
  • Have you seen this, seems as though Tcpdump can be run on your instances https://cloud.google.com/compute/docs/vpc/special-configurations – Paddy Popeye Sep 06 '17 at 14:44
  • Thanks for your answer. I was not clear enough in my question. It is my setup that prevents me from running tcpdump on the instances, that's why I am looking for another way. – AleVe Sep 11 '17 at 14:38

3 Answers3

1

You can enable VPC Flow Logs. This Logs each VM's TCP and UDP flows, inbound and outbound.These flows can be between a VM and another VM in the same VPC. You also need to consider limiting the number of logs generated to reduce your stackdriver costs.

Khalid K
  • 171
  • 3
1

Assuming you are using a Debian image from Google you can install and use tcpdump to capture traffic.

$ sudo apt update
$ sudo apt install -y tcpdump
$ sudo tcpdump -i eth0
miguelfrancisco85
  • 372
  • 1
  • 6
0

This is hilariously cumbersome, I'm only describing it because some organizations actually do use this way:

TL;DR routing everything through another dedicated VPC.

Create "left" VPC, create "security" VPC, create "right" VPC.

Establish routing so that packet travels:

  • left -> security -> right
  • right -> security -> left

Establish VPC peerings (well, otherwise you cannot do such routing).

Create an instance inside "security" (actually it's better to have a pair of instances behind an internal TCP load balancer) and run tcpdump there. Or snort, or something similar. Or even a firewall-on-a-VM. The both nics should have "Enable IP forwarding" = Yes.

Packets between left and right will be captured, but not traffic left-to-left or right-to-right.

By the way, the VPN instance can also be moved to "security" VPC.

kubanczyk
  • 13,812
  • 5
  • 41
  • 55