Proxmox Virtual Environment is a virtualization platform similar to VMware or VirtualBox. You can read more about Proxmox VE at


Proxmox defaults to a VM CPU which may not include all of the features of your host CPU. You may need to change this to host to pass through the host CPU type.


If you plan to use NetworkMiner or other Mono-based applications in a Proxmox VM, then you may need to set the VM Display to VMware compatible (vmware).


If you’re going to install Security Onion in Proxmox and sniff live network traffic, you may need to do some additional configuration in Proxmox itself. You can either passthrough a physical NIC to the VM or you can use a virtual NIC.

Passthrough Physical NIC

The first option is to sniff traffic from a physical NIC that has been passed through to the VM. For more information about Proxmox passthrough, please see:

Once the physical NIC is passed through to the Security Onion VM, then Security Onion should be able to correctly configure the NIC for sniffing.

Virtual NIC

The second option is to sniff traffic from a Proxmox virtual NIC. For more details, please see the discussion at

Keep in mind you may need to manually disable NIC offloading features on any Proxmox NIC used for sniffing (the physical interface and any related bridge interface). One way to do this is to add a post-up command to each sniffing interface in /etc/network/interfaces on the Proxmox host.

For example, if you have a Proxmox physical interface called enp2s0 with a bridge interface called vmbr1, then you might log into Proxmox and edit /etc/network/interfaces by adding the following to the enp2s0 section:

post-up for i in rx tx sg tso ufo gso gro lro; do ethtool -K enp2s0 $i off; done

and the following to the vmbr1 section:

post-up for i in rx tx sg tso ufo gso gro lro; do ethtool -K vmbr1 $i off; done

For more information about NIC offloading, please see