How to pass a Cisco SPAN port/session to a Proxmox VM?

J

jimmyjoe

Active Member
Proxmox Subscriber
Jan 12, 2015
94
2
28
I want to run suricata on a Proxmox VM (not a container). The Network admin setup a SPAN session on the switch which the Proxmox hypervisor is jacked into on eth1. I can run tcpdump on Proxmox and see all the subnet traffic going across eth1 (TCP,UDP,ICMP,etc). So far, so good.

I then created a bridge (vmbr42) on Proxmox and added eth1 to it. Then, added this bridge to the VM, I ran tcpdump on the new interface inside the VM. I wasn't able to see any TCP traffic. Mostly just UDP, ARP and STP. Why is this? I've tried setting promisc mode on the eth1 interface in the VM, as well as vmbr42 but this made no difference in visible traffic on the VM.

How can I view the SPAN session from within the Proxmox VM?
 
Without deeper knowledge I would say that vmbr42 is acting like a switch and thus only forwards the traffic to the respective guest which is the valid recipient, just like a hardware switch would do.
But I don't know an answer to your question.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back