Hi everyone,
I’m looking for help understanding a problem I ran into while deploying Suricata in my environment. Below is my full setup and the issue I faced.
My Environment Setup
I have 3 physical host servers, and each host is running multiple Windows VMs.
Additionally, I have a dedicated Windows server running Suricata.
Suricata Server Details
-
OS: Windows server 2025 (Does Suricata support this OS)
-
NIC 1 → Management interface
-
NIC 2 → Dedicated to Port Mirroring (SPAN)
-
This second NIC is connected to a switch port configured as the mirror destination.
Switch Setup
-
The switch is the aggregation point for all 3 hosts (their uplinks connect to this switch).
-
SPAN configuration:
-
Source: uplink ports of all 3 host servers
-
Destination: the 1‑Gig port connected to the Suricata server
-
The Problem
When I finished configuring Suricata and connected the mirrored port:
-
All 3 host servers LOST network connectivity completely.
-
The hosts were not pingable and couldn’t reach the network.
-
As soon as we physically removed the Suricata server cable, everything immediately came back online with no issues.
My Question / Suspicions
The switch uplink ports are 10‑Gig, but my Suricata server’s mirrored port is only 1‑Gig.
So I want to ask:
Could the 10G → 1G SPAN traffic mismatch cause congestion or network flooding that disrupts all hosts?
And importantly:
Can someone please explain the correct Suricata setup (on Windows) to properly receive and inspect all mirrored traffic from multiple hosts without causing network outages?
I want to make sure:
-
Suricata is configured the right way,
-
The NIC in promiscuous mode is behaving correctly,
-
And the switch‑side SPAN configuration is safe and not overloading the mirrored destination.