Below is a copy of my /etc/network/interfaces configuration on my ProxMox Node.

The above config essentially uses my eno1 interface and creates a vlan aware bridge. On my Cisco switch, I made my native VLAN 999 on the trunk. By default, it is VLAN 1 and you will most likely find help guides that show VLAN 1 instead. I figured I would explain why mine says 999 versus what you would typically see so it made sense. My Management for ProxMox is on VLAN 10, tagged by the cisco switch. I created a sub interface of VLAN 10 and I added a comment to the config as well. I placed comments under each physical and bridged interface for reference. I am not currently utilizing eno3 for anything. This is what I would make my config look like before ever logging into the ProxMox GUI, and then verify what I see once logged into the GUI which I will show below. All the previous steps I am mentioning would be done from the command line. Once everything looks good, I save the configuration, then reboot the server as I have found just restarting the networking service has been hit and miss. Once the server is booted back up, just log into your server with the URL and port 8006. This is what the networking section will look like.

Below is my VM List in Prox List. You will notice it is only one node as I have mentioned before, and the VMs that I had running in my test. I have a bunch of networks hosted behind a pfSense firewall. My VMs and firewall are all on the same bridge, which is vmbr1. This guide is not meant how to configure pfSense and setup logical networks, I want to stay in the scope of the SPAN / Port Mirroring configuration.

ProxMox Node With Running VMs below

When you run a ifconfig, or ip link form the command line of your ProxMox server, you will see tap ports associated to the VM ID numbers generated by ProxMox. I chose to number mine a specific way (preference). 

Anyways, you will notice that if a VM has multiple interfaces, you will see multiple tap interfaces followed by an i and a number (starts with 0) and works its way up. The first interface on my Security Onion sensor is Management. My second interface is the promiscuous interface. This is important for when you run the command to copy all traffic to this interface. I will post a link to the sites I used and where I got this script from. You just have to modify it to fit your environment.

As you can see in the pictures, that tap interface correlates to the VM ID number, so it should make sense now that you can see it

The Script to setup the Mirror

This script will run two commands and send the output to a log file that you specify. It clears any mirrors on the vmbr you want to send the data to and then it collects all traffic and sends it to the specified vmbr of your choosing. Here is a link to the script that you can modify. I will post a screenhsot of how I manipulated it for my environment.

#!/bin/bash

# seconiontap.sh

SECONIONLOG=/root/logs/seconiontap.log

date >> $SECONIONLOG

echo "####################" >> $SECONIONLOG

echo "Clearing any existing mirror..." >> $SECONIONLOG

ovs-vsctl clear bridge vmbr4 mirrors

echo "Creating mirror on vmbr4 for Security Onion..." >> $SECONIONLOG

ovs-vsctl -- --id=@p get port tap301i1 \
-- --id=@m create mirror name=seconionspan select-all=true output-port=@p \
-- set bridge vmbr4 mirrors=@m >> $SECONIONLOG

echo "Showing existing mirrors..." >> $SECONIONLOG

ovs-vsctl list Mirror >> $SECONIONLOG

echo "####################" >> $SECONIONLOG

Remeber…This script is specific to me.

Once you run the script, you can cat the log output or tail it if you have done it several times. It continues to append to bottom each time you run the script. This is not persistent on reboots, so there is a crontab entry you need to add so after each reboot, it will set the mirror back up. I suggest verifying with tcpdump after a reboot to verify everything is working, even if the script ran successfully. It only takes a few seconds. Review the script so you understand what it is doing.

Testing that I am capturing traffic

After I have completed all steps above, to include creating the SPAN port on your switch that ProxMox is connected to, feeding it back into itself on a dedicated port, you should be able to run a tcpdump and jus filter for icmp. I do this because I can control when and how long I decide to run the test. I ran a ping from a windows 11 host to my domain controller. Below is a screenshot of a successful capture of my icmp packets. You see both the request and the reply.

That’s it. I hope this is helpful because I know I spent days trying to figure this out and a lot of different websites and phone calls with co-workers and friends. There are still kinks I am working out. I will update this post if I can tweak it. Please feel free to leave comments below.