i found the link below and a few others on the net but this one explains what i'm trying to do, at least from a vm perspective: dailysysadmin.com/KB/Article/965/port-mirroring-cisco-switch-virtual-machine-vmware-esxi-host/ made those configurations & mirrored the pfsense LAN switch port to security onion. checking now if i have the VLAN option correct but for now seeing a lot of traffic on the securityonion " ens192 " interface, the one without an ip that, i think, captures on all interfaces. getting there. i want to get the actual traffic to securityonion for analysis, say versus streaming pfsense syslog to securityonion. so port mirroring the pfsense LAN port is the way to do so, yes?