Networking help needed: Promisc config for guest Snort



I am looking for some direction on how to configure KVM networking so that a promiscuous bridge/host nic/guest nic allows two different network monitoring packages to sniff the same physical traffic.

The idea is to run a commercial package on the CentOS 6.5 host and Snort, via Security Onion, on the guest, both being fed by a physical switch SPAN or physical firewall TAP.

The host has two NICs, one for management and one for sniffing. I am using libvirt and libvirt-manager to supplement configuration.

I have basic bridge networking configured and connected on the management NIC, but I can’t seem to figure out the missing piece for getting physical network traffic from the SPAN/TAP port to the Xubuntu guest NIC for sniffing.

I have seen mention of setting the bridge aging time to 0, but that did not seem to work and the only place I could find to verify the setting was by running brctl showmacs . I have also seen posts saying this was more of a workaround, without discussing an alternate method.

I have tinkered with setting the host nic, bridge, and guest nic to promiscuous mode, only to see relatively equal traffic climb on the host nic and bridge, but not the guest nic.

Other searched have turned up discussions about tunctl and its implementation, so at this point I figured a reality check was in order.

Is this idea feasible? If so, where should I be looking for information on how to implement it?

Thanks in advance for any pointers.