Hi r/networking!
I have been having some trouble over the past few days in a network monitoring deployment with Alienvault OSSIM.
I am attempting to configure a spanning port that feeds traffic into a dedicated interface (eth1) on the server that is in promiscuous mode.
If I run tcpdump -i eth1 I receive a small amount of broadcast traffic. If I run tcpdump -i eth1 tcp or tcpdump -i eth1 udp I receive no traffic at all.
If I run netstat -i eth1 does show BMPRU flags which I believe confirms that the interface is in promiscuous mode. If I run ifconfig eth1 shows UP BROADCAST RUNNING PROMISC MULTICAST
The spanning port is configured on a Catalyst 3560 as follows:
monitor session 2 source interface Ge1/24 #This is the uplink to my firewall
monitor session 2 destination interface Ge1/20 #This is the Port that is connected directly to eth1
Other notes:
Machine in question is a VM on ESXi 6.0 - there is a separate vswitch configured which is bound to eth1 and the Alienvault VM is a member. (I have working deployments configured exactly the same and configure the servers with a powercli script)
Iptables is off
I'm stumped! Any help is appreciated.
No comments:
Post a Comment