Trisul Network Analytics
Developer Zone

**This is an old revision of the document!** ----

====== Configuring a Port Mirror on Proxmox VE for Trisul NSM ====== Proxmox VE is a leading enterprise virtualization platform that uses a KVM based hypervisor along with a nice web based management interface. We like Proxmox for NSM (Network Security Monitoring) applications due to its higher performance. In this article we talk about how you can create a Proxmox Virtual Machine running TrisulNSM and how you can connect a port span cable and bring the traffic into the virtual machine. ===== The setup ===== The challenge is to map a single physical port on the server running Proxmox to an interval VM which will be running Trisul Network Analytics. The physical port will be typically connected to a Port Mirror or SPAN port on a switch whose traffic is to be monitored. {{:articles:proxmox1.png?600|}} ==== Create a new bridge ==== The good news is Proxmox is based on Debian9 and you can login directly to the system and make configuration changes. Logon to the Proxmox server directly and create a new Bridge and add the physical port as the only member of that bridge. Edit ''/etc/network/interfaces'' and enter the following <code bash> auto vmbr7 iface vmbr7 inet manual bridge_ports enp2s0f1 bridge_stp off bridge_fd 0 bridge_ageing 0 </code> Then <code> systemctl restart network </code> Basically, this creates a dumb bridge with zero bridge_ageing, so it will just forward all packets to who ever is connected. Now ''brctl show'' should show you the new bridge. ==== Add a new interface to a VM using this bridge vmbr7 ==== Next logon to Proxmox VE and add a new sniffing interface using //Hardware -> Add -> Network Device// Then select the new bridge for this interface as shown below {{:articles:pve1.png?600|}} Then go back and review the VM, there should be TWO intefaces, one for management and the other for the sniffing. It should look like this. {{:articles:pve2.png?600|}}