3

I am attempting to test my new security onion install. I have it set up on a static IP Ethernet adapter in a virtual machine with an IP of 10.0.3.47

When I go launch Sguill, it seems to work well enough, but it only sees traffic broadcasts to everyone and traffic going to 10.0.3.47 or from 10.0.3.47. The virtual machine was set up to accept all promiscuous traffic, but since then I have directly connected an Ethernet over USB with PNP Linux support. I also have another desktop connected via bridged Ethernet with Kali Linux on it and when I launch Wireshark on that machine, I have the same result. Any ideas on what I am doing wrong, or how I can fix this?

mberna
  • 133
  • 3
  • 1
    Agre with @johny. Even in virtual environment the switch works in the same way. – Fis May 26 '17 at 18:59
  • Yes, being a corporate environment, I do have many endpoints on a switch! Good to know, it wasn't my configuration. Just goes to show how much I still have to learn about networking. I will look into the SPAN port option. – mberna May 26 '17 at 20:43
  • 1
    @Johnny Please post this as an answer so that you can get the points. – mberna May 26 '17 at 20:55
  • @Johnny can you turn your comment to answer? – Fis May 27 '17 at 05:31

1 Answers1

1

How are these all connected? If you're using a switch, this is to be expected.

On a switch you'll only see traffic destined for your own segment.

Typically for messing around with Security Onion in a home environment, you're better suited replaying some of the included pcaps to simulate traffic since not everybody has a switch with a SPAN port or a bunch of taps laying around.

Ivan
  • 6,288
  • 3
  • 18
  • 22