Tag Archives: IP address

Tip: Find the IP address of a virtual machine

Update: see comments

Virtual machines are given a virtual network, but have to decide on their own IP address, which they would usually get from DHCP or by static assignment. This is analogous to the physical case: a physical machine is plugged into a network port, but has to choose its own IP address somehow.

The problem with this is how do you know what IP address the virtual machine has picked?

There are several methods, but by far the simplest is to look at the output of the arp command on the same network segment (usually, just running arp -an on the host will do). As long as the VM has sent anything over the network, it will have sent out its IP address in an ARP response, and the host will have picked that up and added it to the ARP table.

For example, the one virtual machine I am running now has broadcast its IP address to the host:

$ arp -an
? (192.168.0.**) at **:**:**:23:06:bb [ether] on eth0
? (192.168.0.**) at **:**:**:74:02:28 [ether] on eth0
? ( at 52:54:00:18:04:63 [ether] on virbr0
? (192.168.0.**) at **:**:**:7c:8b:7e [ether] on eth0

I already described this and it works well if you have one or a few virtual machines, but if you have many, how do you know which MAC address corresponds to the one you want?

libvirt knows the MAC address which was assigned to each virtual machine’s network card. It is in the libvirt XML for the domain, and you can get it from libvirt using the command virsh dumpxml.

If we put all this together, we can write a short script which queries libvirt for the MAC address, then looks that up in the ARP table. All you need to do is to write:

# virt-addr F14x64

Note: As it stands this would only work as root, but you can make it also work for non-root by setting this environment variable:

$ export LIBVIRT_DEFAULT_URI=qemu:///system
$ virt-addr F14x64
$ ssh $(virt-addr F14x64)
rjones@'s password: ***
Last login: Sat Oct 16 16:56:17 2010 from
[rjones@f14x64 ~]$ 

The script follows below.

#!/usr/bin/perl -w

use strict;
use XML::XPath;
use XML::XPath::XMLParser;
use Sys::Virt;

# Open libvirt connection and get the domain.
my $conn = Sys::Virt->new (readonly => 1);
my $dom = $conn->get_domain_by_name ($ARGV[0]);

# Get the libvirt XML for the domain.
my $xml = $dom->get_xml_description ();

# Parse out the MAC addresses using an XPath expression.
my $xp = XML::XPath->new (xml => $xml);
my $nodes = $xp->find ("//devices/interface[\@type='network']/mac/\@address");
my $node;
my @mac_addrs;
foreach $node ($nodes->get_nodelist) {
    push @mac_addrs, lc ($node->getData)

# Look up the MAC addresses in the output of 'arp -an'.
my @arp_lines = split /\n/, `arp -an`;
foreach (@arp_lines) {
    if (/\((.*?)\) at (.*?) /) {
        my $this_addr = lc $2;
        if (list_member ($this_addr, @mac_addrs)) {
            print "$1\n";

sub list_member
    local $_;
    my $item = shift;
    foreach (@_) {
        return 1 if $item eq $_;
    return 0;


Filed under Uncategorized

Quick tip: Find the IP address of a virtual machine

virt-ifconfig will eventually fix this “properly”, although it’s yet again back on the drawing board while people upstream talk about heavyweight “guest agents”.

But while we’re waiting for that to happen, here’s a very quick and easy way to find out what IP address your virtual machine just acquired:

$ /sbin/arp -an
? ( at 00:17:f2:d8:db:3f [ether] on eth0
? ( at 52:54:00:37:a8:f8 [ether] on virbr0

That’s right — just run /sbin/arp -an and look for the new IP address that’s appeared. If you want to be clever you can look up the MAC address from the output of “virsh dumpxml” and match it to the MAC addresses from ARP, but usually that’s overkill.


Filed under Uncategorized

Half-baked ideas: reputation system for IP addresses

For other half-baked ideas, see my ideas tag.

I’m an obstinate log watcher. Watching web server logfiles in particular gives me a fascinating insight into how the bottom-feeders on the internet work, comment spammers, email harvesters, crap search engines and the like.

As a pretty random example, a single spammer (or more likely “illegal spam botnet”) just tried to fill in the comment form on one particular website I run 26 times in roughly 90 minutes. If you still have any myths about how sophisticated spammers are, read on.

Myth: spammers promote a particular website. Reality: spammers are still able to register huge numbers of random domains, and use very complex multi-step redirection.

Myth: spammers must operate from a limited set of IP addresses. Reality: spammers have access to virtually unlimited numbers of IP addresses.

Myth: each attack comes from a single IP address. Reality: attacks jump from IP addresses separated around the world, and those attacks are coordinated and look just like a single multi-step transaction, complete with correct cookies which must be passed between the hosts using a higher “back end” layer.

Myth: spambots don’t run Javascript, download images or solve captchas. Reality: …

The jury is still out on the last one. Certainly it’s not common, but a significant subset of comment spam does appear to come from real browsers, which run Javascript, download images and solve captchas. However I believe much or all of this must come from real people operating from sweatshops in countries with very low wages. That’s hard to tell just from looking at logfiles.

Each of the 26 completed transactions I saw involved multiple HTTP requests, and every single HTTP request came from a different IP address. But each completed transaction had a consistent cookie. In some cases the IP addresses were separated by half the earth, but HTTP requests followed each other in sub-second, indicating a sophisticated second level operation coordinating it all. Each request contained URLs for 4 websites, generated using random characters, and only some of these sites resolve.

So on to the half-baked idea.

Why don’t we have a proper, distributed reputation system for IP addresses?

A spammer can’t source an HTTP request from just any IP address, so they need to take over some grandma’s Windows PC, or someone’s web server, or persuade people to route some bogus AS. Every time an honest website owner (like me!) sees a bad IP, they register it.

Of course, spammers themselves will try to game the system, but they will do so from their own random IP addresses. We need to make sure that their “votes” count for less, and a reputation system should be able to decide this (eg. bad IP votes for bad IP? those votes count negatively).

If grandma tries to post a good comment, her IP may well cause that comment to be rejected. Good thing! She needs to clean up her (Windows) PC.

And what about ISPs who rotate IP addresses between good and bad customers? Those ISPs need to police their users and make sure they clean up their Windows PCs, or force the users on to better operating systems that don’t allow these exploits.

Note There are people classifying IPs now, eg. project honeypot and stop forum spam, but these guys don’t implement a reputation system and in some cases have nasty licensing terms which make the data that we provide for free into proprietary databases. No thanks.


Filed under Uncategorized