Network Monitoring with libvmtrace

[AdityaNautiyal]

I am Computer Science research student and exploring the field of cloud security, i came to know about your libvmi library through paper " https://opus4.kobv.de/opus4-uni-passau/frontdoor/index/index/docId/831 " and want to know more about it.

Reading the paper i found your tool pretty useful for our research, but couldn't find any clear steps/ documentation to setup and use the library. I have already cloned your git repo and now want to capture virtual machines network packets using libvmtrace.
I would like to know the steps for:

1. execution of libvmtrace library
2. capture network packets of virtual machines in xen architecture from Dom0.
3. capture system calls of process from different virtual machines.

[hr-ru]

First steps (dependencies, compilation) should be explained in the top-level README.

1. Regarding execution, a good starting point is apps/csec.cpp, which is a simple example that traces system calls 0, 1 and 59 (read, write, execve on x86_64)

2. Capturing network packets should be easier at the interface level on Dom0, so I am not sure why you would want to capture network packets using VMI.

3. For capturing system calls of all processes, see 1. To do it more selectively, you can set up a CR3 handler and activate/deactivate tracing whenever your process that you want to trace is scheduled. Unforunately, this part is not really well documented. You might find some ideas how to do this in the Saracenia honeypot code (also in apps)