Proxmox hosting SecurityOnion with OpenVSwitch mirror but not yet seeing traffic

[jaredatobe]

I posted this in SecurityOnion discussions, and they recommended that I open the question here, hopefully someone can help:

I used the information from vext.info (cheat-sheet-port-mirroring-ids-data-into-a-proxmox-vm) and (proxmox-seconiontap.sh) and (openvswitch:Basic Information) to setup an ovs mirror to a tap on the Security Onion vm, but it does not seem to be working as advertised. The only data I see is from the Security Onion server itself. Can anyone tell what I am missing?

Logs and Specs: Proxmox node network info: (I am not trying to sniff traffic on vmbr0/enp2s0, but only vms connected to vmbr1/enp4s0) Security Onion VM network info: Listing of ovs ports: # ovs-vsctl list-ports vmbr1 enp4s0 tap101i1 tap102i0 tap103i0 tap104i1 #<-- security onion management interface (vmbr0) tap104i2 #<-- security onion sniff interface, (vmbr1) tap105i0 vlan10 Log output from proxmox-seconiontap.sh: #################### Tue 13 Jul 2021 09:22:18 PM CDT #################### Clearing any existing mirror... Creating mirror on vmbr1 for Security Onion... 78647069-b359-4440-b798-cd3174c87699 Showing existing mirrors... _uuid : 78647069-b359-4440-b798-cd3174c87699 external_ids : {} name : "span1" output_port : bde419e6-11eb-484e-b561-3979e54d8acd output_vlan : [] select_all : true select_dst_port : [] select_src_port : [] select_vlan : [] snaplen : [] statistics : {} #################### Contents of shell script proxmox-seconiontap.sh: # cat proxmox-securityonion-tap.sh #!/bin/dash # /root/proxmox-securityonion-tap.sh SECONIONLOG=/root/proxmox-securityonion-tap.log date >> $SECONIONLOG echo "####################" >> $SECONIONLOG echo "Clearing any existing mirror..." >> $SECONIONLOG ovs-vsctl clear bridge vmbr1 mirrors echo "Creating mirror on vmbr1 for Security Onion..." >> $SECONIONLOG ovs-vsctl -- --id=@p get port tap104i2 \ -- --id=@m create mirror name=span1 select-all=true output-port=@p \ -- set bridge vmbr1 mirrors=@m >> $SECONIONLOG echo "Showing existing mirrors..." >> $SECONIONLOG ovs-vsctl list Mirror >> $SECONIONLOG echo "####################" >> $SECONIONLOG