unwanted(NATed) traffic captured from span port on ESXi vSwitch


  • Here is the main topology, the pfSense is installed on an ESXi host.
    Snipaste_2020-08-04_12-22-42.png
    I was trying to capture LAN traffic, so I've followed the this guide, added a bridge with eth2 as member and eth3 as span port, the vswitch is a standard vswitch and I can captured the traffic from eth2.

    But I can also capture the NATed traffic from the monitor which should only appear in eth1 port.

    I'm not sure it's caused by wrong configure or somthing, so I tried to use tcpdump to capture pakcets on bridge0 and eth3, both of them shows that pfSense is not outputing NATed traffic.But when I tried to use pktcap-uw on ESXi host to capture packets, it shows that pfSens DO actually outputing NATed traffic.

    How can I fix this and stop pfSense stop outputing NATed traffic?