How to pass a Cisco SPAN port/session to a Proxmox VM?

[jimmyjoe]

I want to run suricata on a Proxmox VM (not a container). The Network admin setup a SPAN session on the switch which the Proxmox hypervisor is jacked into on eth1. I can run tcpdump on Proxmox and see all the subnet traffic going across eth1 (TCP,UDP,ICMP,etc). So far, so good.

I then created a bridge (vmbr42) on Proxmox and added eth1 to it. Then, added this bridge to the VM, I ran tcpdump on the new interface inside the VM. I wasn't able to see any TCP traffic. Mostly just UDP, ARP and STP. Why is this? I've tried setting promisc mode on the eth1 interface in the VM, as well as vmbr42 but this made no difference in visible traffic on the VM.

How can I view the SPAN session from within the Proxmox VM?

 

[ph0x]

Without deeper knowledge I would say that vmbr42 is acting like a switch and thus only forwards the traffic to the respective guest which is the valid recipient, just like a hardware switch would do.
But I don't know an answer to your question.

 

[spirit]

maybe can you try to passthough eth1 inside the vm ?

another way, add " bridge_ageing 0" to your vmbr42, i'll work like a hub, flooding traffic to all ports