Proxmox VE is a leading enterprise virtualization platform that uses a KVM based hypervisor along with a nice web based management interface. We like Proxmox for NSM (Network Security Monitoring) applications due to its higher performance.

In this article we talk about how you can create a Proxmox Virtual Machine running TrisulNSM and how you can connect a port span cable and bring the traffic into the virtual machine.

The challenge is to map a single physical port on the server running Proxmox to an interval VM which will be running Trisul Network Analytics. The physical port will be typically connected to a Port Mirror or SPAN port on a switch whose traffic is to be monitored.

The good news is Proxmox is based on Debian9 and you can login directly to the system and make configuration changes. Logon to the Proxmox server directly and create a new Bridge and add the physical port as the only member of that bridge.

Edit /etc/network/interfaces and enter the following

auto vmbr7
iface vmbr7 inet manual
	bridge_ports enp2s0f1
	bridge_stp off
	bridge_fd 0
	bridge_ageing 0

Then

systemctl restart network

Basically, this creates a dumb bridge with zero bridge_ageing, so it will just forward all packets to who ever is connected.

Now brctl show should show you the new bridge.

Next logon to Proxmox VE and add a new sniffing interface using Hardware → Add → Network Device

Then select the new bridge for this interface as shown below

Then go back and review the VM, there should be TWO intefaces, one for management and the other for the sniffing. It should look like this.