Issues with traffic monitoring

[The-Coding-Doc]

Version

2.4.150

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

4

RAM

24

Storage for /

500

Storage for /nsm

300

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hello everyone,

I have an issue with my Security onion installation. I am running Security Onion as a distributed version in a production environment.

I have setup 2 SPAN ports on the network's core switches: one for monitoring traffic on the most used VLANs and one for monitoring REAL IP VLAN traffic.

On the first SPAN port I am receiving plenty of traffic, however the destination IPs in Dashboards are mostly the broadcast IPs of the monitored networks, e.g. Source IP: 192.168.20.51 -> Destination IP: 192.168.20.255

On the second SPAN port for REAL IP monitoring I get very low to zero traffic activity, even though there is plenty of activity in the switch.

I would like to know if I have done any misconfigurations, since I cannot see the destination IPs from my internal network, so I don't know what are the internal hosts contacting.

Any ideas would be helpful.

Thank you

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[Zer0-cyber-web]

To my humble opinion - if your SPAN port does not show expected amount of traffic in tcpdump - that it is problem of SPAN configuration, not SO at all. But it would be very usefull if you would specify what tool are you using to determine amount of traffic on your port.

[NeoLife-iT]

I am interest in this subject as well. I captured a lot of packet on the sensor node but when I select the PCAP - it all error out. Pending status.

[InfosecGoon]

Do you see the traffic you're expecting if you run "tcpdump -i bond0" on your Forward Node?

[NeoLife-iT]

i am on VLAN this is the capture for 1 of the VLAN...

We have several VLAN ..does that mean I need forwarder node in every vlan or just the TRUNK port is needed?

Thanks for answering

[The-Coding-Doc]

To my humble opinion - if your SPAN port does not show expected amount of traffic in tcpdump - that it is problem of SPAN configuration, not SO at all. But it would be very usefull if you would specify what tool are you using to determine amount of traffic on your port.

I am currently only using the tcpdump inside the sensor node to see the traffic. There is a lot of traffic, however it mostly is all internal traffic, broadcast and multicast.

[NeoLife-iT]

i will have the opportunity to setup the PCAP with physical NIC for Testing next week - The current VM is using the Virtual NiC for PCAP so as this is a good as it get.