Tcpdump only catching broadcast traffic

Networking & Firewalls
1

I am working on setting up suricata for the first time. I am running it on an Ubuntu 18.04 VM hosted in FreeNas. I have an extra (physical) intel NIC attached to the VM, which is plugged into a SPAN port on my Netgear switch, which is set to mirror TX and RX traffic from the LAN port on my USG Pro.

It seems though when I do a tcpdump on that promisc interface, I only see broadcast and ARP type traffic from the network (mdns, etc. No HTTP traffic or otherwise).

Did miss a step? Any pointers on how to troubleshoot?

Thanks again

2

Do the same test against a system that is not virtualized so you can determine if the issue is the filtering on the FreeNAS virtual network adapter or the Netgear.

3

Great suggestion. I ran it on the FreeNAS box itself and the traffic looks fine.
So it seems Bhyve must be filtering it out.

Anyone know a way around this? I will take a look at doing a PCI passthrough for the NIC.