FreeBSD network monitor with VMware Workstation

Richard Bejtlich, a well-known security expert, published an insight on how to setup a FreeBSD network sensor for traffic sniffing:

Several of you have asked about my experiences using FreeBSD sensors inside VMware Workstation. I use VMs in my Network Security Operations class. I especially use VMs on the final day of training, when each team in the class gets access to a VM attack host, a VM target, a VM sensor, and a VM to be monitored defensively. As currently configured, each host has at least one NIC bridged to the network. The sensor VMs have a second interface with no IP also bridged to the network. When any VM takes action against another, the sensors see it. This scenario does not describe how a VM sensor might watch traffic from a tap, however.

I decided to document how to use VMware to create a sensor that sniffs traffic from a tap. I outline two scenarios. The first uses a port aggregator tap with a single interface out to a sensor. The second uses a traditional tap with two interfaces out to a sensor.

Read more at source.

Notice that performances could be slightly worst than in a physical box so you should test the solution before adopt it in production.
I would also perform a packet count on both physical and virtal machines during the wiretap.