No traffic comming from pfsense span interface

[rrbinda]

Hi guys, I´m building a security lab on top of HyperV and I´m having issuess to see the traffic in the monitoring interface of SecOnion.
I created 5 virtual switches as follows:

• WAN (external network)
• Attacker, Victim, SecOnionMGMT and Mirroring (private interface)

I´ve created a pfsense VM and connected it to all these vSwitches with this configuration:

WAN (wan) -> hn0 -> v4/DHCP4: 192.168.1.124/24
ATTACKER (lan) -> hn1 -> v4: 172.16.1.1/24
VICTIM (opt1) -> hn2 -> v4: 172.16.2.1/24
SECONIONMGMT (opt2) -> hn3 -> v4: 172.16.3.1/24
Mirroring (opt3) -> hn4
OPT4 (opt4) -> bridge0 ->

Bridge0 has the Victim interface as member and Mirroring as span port.
tcpdump in "hn4" interface shows me all traffic of Victim interface. Until here, everything working as expected.

Then, I created the SecOnion VM attaching it to 2 vSwitches: SecOnionMGMT and Mirroring;
If I run a tcpdump in the mirroring interface, I see no traffic.
Then, I set up the HyperV port mirroring, having the pfsense/Mirroring interface as source and the SecOnion/Mirroring interface as destination but still with no success.

Is there any missing configuration?

Regards,

Rodrigo

[dougburks]

If you run tcpdump on the Security Onion monitoring interface and don't see any traffic, then the problem exists outside of Security Onion.

[rrbinda]

hi, thanks for the reply. Indeed, it was outside Sec Onion. I disabled the bridge (span) in PFSENSE, connected the monitoring interface of SecOnion directly in the Victim switch and enabled the hypervisory port mirroring. Everything´s working now!

Thanks!